1790381 – (CVE-2020-1693) CVE-2020-1693 spacewalk: XML entity attacks on /rpc/api

Bug 1790381 (CVE-2020-1693) - CVE-2020-1693 spacewalk: XML entity attacks on /rpc/api

Summary: CVE-2020-1693 spacewalk: XML entity attacks on /rpc/api

Keywords:
Status:	CLOSED WONTFIX
Alias:	CVE-2020-1693
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1791164
Blocks:	1785261
TreeView+	depends on / blocked

Reported:	2020-01-13 09:36 UTC by msiddiqu
Modified:	2021-11-15 13:07 UTC (History)
CC List:	5 users (show)
Fixed In Version:	redstone-xmlrpc 1.1_20071120-21, spacewalk 2.10
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in Spacewalk where it was vulnerable to XML internal entity attacks via the /rpc/api endpoint. An unauthenticated remote attacker could use this flaw to retrieve the content of certain files and trigger a denial of service, or in certain circumstances, execute arbitrary code on the Spacewalk server.
Clone Of:
Environment:
Last Closed:	2021-11-15 13:07:05 UTC
Embargoed:

Attachments	(Terms of Use)

Description msiddiqu 2020-01-13 09:36:12 UTC

Spacewalk up to version 2.9 is vulnerable to XML internal entity via the /rpc/api endpoint. Using this vulnerability could allow an attacker to extract local files from the system running Spacewalk, but also files remotely accessible from the host. In addition, this vulnerability opens up the door for server side request forgery, denial of service attacks and potentially remote code execution in some cases.

Comment 1 msiddiqu 2020-01-13 13:42:22 UTC

Acknowledgments:

Name: Thibaut Zonca

Comment 2 Doran Moppert 2020-01-13 22:57:48 UTC

This vulnerability is closely related to CVE-2018-1077, previously reported and fixed in bz 1555429.

Comment 6 Cedric Buissart 2020-02-10 20:09:33 UTC

Statement:

This flaw was rated Medium in the context of Red Hat Satellite v.5, because it does not allow remote code execution, and because of the limitation imposed when retrieving file content.

Comment 7 Cedric Buissart 2020-02-11 14:53:32 UTC

Upstream fix:
https://github.com/spacewalkproject/spacewalk/commit/74e28ec61d916c42061ef4347121650a1c962b0c

Note You need to log in before you can comment on or make changes to this bug.