tencent cloud

PrevNext

Feedback

search by keyword

Recent Pages

Documentation
Web Application Firewall
    Documentation
    Download PDF

    Notice for Apache Cocoon XXE Vulnerability (CVE-2020-11991)

    Last updated: 2022-06-23 11:14:26
    Download PDF
      On September 11, 2020, the Apache Software Foundation issued a security advisory to fix the XXE vulnerability in Apache Cocoon (CVE-2020-11991).

      Vulnerability Details

      Apache Cocoon is a Spring-based framework built around the concepts of separation. All processing jobs under it are linearly connected by predefined processing components, which can process the inputs and generated outputs in a pipeline sequence. Its users include Apache Lenya, Daisy CMS, Hippo CMS, Mindquarry, etc. It is usually used as a data ETL tool or relay for data transfer between systems.
      CVE-2020-11991 is related to StreamGenerator. When using the StreamGenerator, Cocoon parses a user-provided XML. A specially crafted XML, including external system entities, could be used to access any file on the server system.

      Risk Level

      High Risk

      Vulnerability Risk

      A specially crafted XML, including external system entities, could be used to access any file on the server system.

      Affected Versions

      Apache Cocoon <= 2.1.12

      Suggestions for Fix

      The vulnerability has been officially fixed in the new version. Tencent Security recommends you:
      Upgrade to the latest version (2.1.13) of Apache Cocoon.
      Use Tencent Cloud WAF that supports detection of and defense against XXE vulnerabilities like CVE-2020-11991.
      Note:
      Back up your data before installing the patch to avoid accidental losses.

      References

      Official update notice:
      Apache Cocoon
      Apache Cocoon 2.2
      CVE-2020-11991
      Contact Us

      Contact our sales team or business advisors to help your business.

      Contact Us
      Technical Support

      Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

      Submit a Ticket
      7x24 Phone Support
      Copyright © 2013-2024 Tencent Cloud. All Rights Reserved.
      Privacy PolicyLegalCookie Policy