tencent cloud

Feedback

Notice for Apache Cocoon XXE Vulnerability (CVE-2020-11991)

Last updated: 2022-06-23 11:14:26
    On September 11, 2020, the Apache Software Foundation issued a security advisory to fix the XXE vulnerability in Apache Cocoon (CVE-2020-11991).

    Vulnerability Details

    Apache Cocoon is a Spring-based framework built around the concepts of separation. All processing jobs under it are linearly connected by predefined processing components, which can process the inputs and generated outputs in a pipeline sequence. Its users include Apache Lenya, Daisy CMS, Hippo CMS, Mindquarry, etc. It is usually used as a data ETL tool or relay for data transfer between systems.
    CVE-2020-11991 is related to StreamGenerator. When using the StreamGenerator, Cocoon parses a user-provided XML. A specially crafted XML, including external system entities, could be used to access any file on the server system.

    Risk Level

    High Risk

    Vulnerability Risk

    A specially crafted XML, including external system entities, could be used to access any file on the server system.

    Affected Versions

    Apache Cocoon <= 2.1.12

    Suggestions for Fix

    The vulnerability has been officially fixed in the new version. Tencent Security recommends you:
    Upgrade to the latest version (2.1.13) of Apache Cocoon.
    Use Tencent Cloud WAF that supports detection of and defense against XXE vulnerabilities like CVE-2020-11991.
    Note:
    Back up your data before installing the patch to avoid accidental losses.

    References

    Official update notice:
    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support