Bug 1733966 (CVE-2019-1010268) - CVE-2019-1010268 ladon: XXE leads to information disclosure
Summary: CVE-2019-1010268 ladon: XXE leads to information disclosure
Keywords:
Status: NEW
Alias: CVE-2019-1010268
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-07-29 10:52 UTC by Dhananjay Arunesh
Modified: 2019-09-29 15:18 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Dhananjay Arunesh 2019-07-29 10:52:29 UTC
Ladon since 0.6.1 (since ebef0aae48af78c159b6fce81bc6f5e7e0ddb059) is affected by: XML External Entity (XXE). The impact is: Information Disclosure, reading files and reaching internal network endpoints. The component is: SOAP request handlers. For instance: https://bitbucket.org/jakobsg/ladon/src/42944fc012a3a48214791c120ee5619434505067/src/ladon/interfaces/soap.py#lines-688. The attack vector is: Send a specially crafted SOAP call.

Reference:
https://bitbucket.org/jakobsg/ladon/src/42944fc012a3a48214791c120ee5619434505067/src/ladon/interfaces/soap.py#lines-688

Comment 1 Dhananjay Arunesh 2019-07-29 10:52:49 UTC
External References:

https://www.exploit-db.com/exploits/43113


Note You need to log in before you can comment on or make changes to this bug.