GHSA-432C-WXPG-M4Q3

Vulnerability from github – Published: 2025-02-07 20:32 – Updated: 2025-02-07 20:32
VLAI
Summary
xml2rfc has file inclusion irregularities
Details

Version 3.12.0 changed xml2rfc so that it would not access local files without the presence of its new --allow-local-file-access flag. This prevented XML External Entity (XXE) injection attacks with xinclude and XML entity references.

It was discovered that xml2rfc does not respect --allow-local-file-access when a local file is specified as src in artwork or sourcecode elements. Furthermore, XML entity references can include any file inside the source dir and below without using the --allow-local-file-access flag.

The xml2rfc <= 3.26.0 behaviour:

xinclude XML entity reference artwork src= sourcecode src=
without --allow-local-file-access flag No filesystem access Any file in xml2rfc templates dir and below, any file in source directory and below Access source directory and below Access source directory and below
with --allow-local-file-access flag Access any file on filesystem[^1] Access any file on filesystem[^1] Access source directory and below Access source directory and below

[^1]: Access any file of the filesystem with the permissions of the user running xml2rfc can access.

Impact

Anyone running xml2rfc as a service that accepts input from external users is impacted by this issue. Specifying a file in src attribute in artwork or sourcecode elements will cause the contents of that file to appear in xml2rfc’s output results. But that file has to be inside the same directory as the XML input source file. For artwork and sourcecode, xml2rfc will not look above the source file directory.

The proposed new behaviour

  • Generalize file access checks.
  • Only allow access to files within src dir and below. (xml entity include can access templates dir).
  • Always allow access to templates_dir for XML entity includes.

New behaviour:

xinclude XML entity reference artwork src= sourcecode src=
without --allow-local-file-access flag No filesystem access No filesystem access (except for templates_dir) No filesystem access No filesystem access
with --allow-local-file-access flag Access source directory and below Access source directory and below (Can accesstemplates_dir). Access source directory and below Access source directory and below

Workarounds

Use a secure temporary directory to process un-trusted XML files, and do not reuse it for processing other XML documents.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "xml2rfc"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.12.0"
            },
            {
              "fixed": "3.27.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-02-07T20:32:27Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "Version [3.12.0](https://github.com/ietf-tools/xml2rfc/blob/main/CHANGELOG.md#3120---2021-12-08) changed `xml2rfc` so that it would not access local files without the presence of its new `--allow-local-file-access` flag.\nThis prevented XML External Entity (XXE) injection attacks with `xinclude` and XML entity references.\n\nIt was discovered that `xml2rfc` does not respect `--allow-local-file-access` when a local file is specified as `src` in `artwork` or `sourcecode` elements. Furthermore, XML entity references can include any file inside the source dir and below without using the `--allow-local-file-access` flag. \n\nThe `xml2rfc \u003c= 3.26.0` behaviour:\n\n|  | `xinclude` | XML entity reference | `artwork src=` | `sourcecode src=` |\n|---|---|---|---|---|\n| without `--allow-local-file-access` flag | No filesystem access | Any file in xml2rfc templates dir and below, any file in source directory and below | Access source directory and below | Access source directory and below |\n| with `--allow-local-file-access` flag | Access any file on filesystem[^1] | Access any file on filesystem[^1] | Access source directory and below | Access source directory and below | Access source directory and below |\n\n  [^1]: Access any file of the filesystem with the permissions of the user running `xml2rfc` can access.\n\n### Impact\n\nAnyone running `xml2rfc` as a service that accepts input from external users is impacted by this issue.\nSpecifying a file in `src` attribute in `artwork` or `sourcecode` elements will cause the contents of that file to appear in xml2rfc\u2019s output results.\nBut that file has to be inside the same directory as the XML input source file.\nFor `artwork` and `sourcecode`, `xml2rfc` will not look above the source file directory.\n\n### The proposed new behaviour\n- Generalize file access checks.\n- Only allow access to files within src dir and below. (xml entity include can access templates dir).\n- Always allow access to `templates_dir` for XML entity includes.\n\nNew behaviour:\n\n|  | `xinclude` | XML entity reference | `artwork src=` | `sourcecode src=` |\n|---|---|---|---|---|\n| without `--allow-local-file-access` flag | No filesystem access | No filesystem access _(except for `templates_dir`)_ | No filesystem access | No filesystem access |\n| with `--allow-local-file-access` flag | Access source directory and below | Access source directory and below _(Can access`templates_dir`)._ | Access source directory and below | Access source directory and below |\n\n### Workarounds\n\nUse a secure temporary directory to process un-trusted XML files, and do not reuse it for processing other XML documents.",
  "id": "GHSA-432c-wxpg-m4q3",
  "modified": "2025-02-07T20:32:27Z",
  "published": "2025-02-07T20:32:27Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ietf-tools/xml2rfc/security/advisories/GHSA-432c-wxpg-m4q3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ietf-tools/xml2rfc/commit/ec98f9cb4b9a8658222117df037dda473ca3f4e4"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ietf-tools/xml2rfc"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "xml2rfc has file inclusion irregularities"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…