Listen to this Post
The vulnerability in minio-java versions before 8.6.0 stems from a flawed XML parsing mechanism. The library’s XML parser was configured to automatically resolve and substitute Java system property and environment variable references embedded within XML tag values. For instance, if an attacker-supplied XML file contained a tag with the value ${user.home}, the parser would replace this string with the actual file path to the current user’s home directory. Similarly, a tag containing `${env.SECRET_KEY}` would be substituted with the value of that environment variable. This behavior, similar to a limited form of XML Entity Expansion, occurs during the processing of the document object model, where the tag’s text content is actively interpolated. An attacker can exploit this by crafting a malicious XML payload designed to exfiltrate sensitive data. By submitting this XML to an application using a vulnerable minio-java client, the attacker can receive responses where these placeholders have been replaced with the actual, sensitive values from the server’s environment, leading to significant information disclosure.
DailyCVE Form
Platform: Minio Java Client
Version: < 8.6.0
Vulnerability: XXE Information Disclosure
Severity: High
Date: 2024-03-31
Prediction: Patched 2024-03-31
What Undercode Say:
Analytics
`grep -r “org.xml” pom.xml`
`find . -name “.jar” | grep minio`
`System.getenv().forEach((k, v) -> System.out.println(k + “:” + v));`
How Exploit:
`${user.home} `
`${env.AWS_ACCESS_KEY}`
`curl -X POST -d @malicious.xml http://target/endpoint`
Protection from this CVE
Upgrade to 8.6.0
Sanitize XML input
Avoid untrusted XML
Impact:
Credential leakage
Path disclosure
Configuration exposure
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
