Jolokia XML External Entity

high Web Application Scanning Plugin ID 113199

Language:

Synopsis

Jolokia XML External Entity

Description

Jolokia is a JMX-HTTP bridge giving an alternative to JSR-160 connectors. Jolokia includes a reloadByURL action (provided by the Logback library), that allows an attacker to reload the logging config from an external URL resulting in a XML External Entity (XXE) vulnerability.

Solution

If the jolokia endpoint is not needed it should be disabled. If the jolokia endpoint is required it should be secured using Spring Security.

See Also

https://www.veracode.com/blog/research/exploiting-spring-boot-actuators

Plugin Details

Severity: High

ID: 113199

Type: remote

Published: 3/24/2022

Updated: 3/24/2022

Scan Template: pci, api, scan

Risk Information

VPR

Risk Factor: Low

Score: 3.4

CVSS v2

Risk Factor: High

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: Tenable

CVSS v3

Risk Factor: High

Base Score: 7.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CVSS Score Source: Tenable

Vulnerability Information

CPE: cpe:2.3:a:jolokia:jolokia:*:*:*:*:*:*:*:*

Reference Information