The CVE-2020-11050 vulnerability in XWiki’s JIRA macro allows authenticated users to perform XXE attacks by injecting malicious XML content. When a user edits their profile page and embeds the JIRA macro with a crafted JIRA URL, the server processes external entities defined in the XML response. By specifying a `DOCTYPE` with a local file reference (e.g., file:///etc/passwd), the attacker can read arbitrary files from the server. The XML parser interprets the entity and renders the file content in JIRA fields like “ or description.
DailyCVE Form
Platform: XWiki
Version: <8.6.5
Vulnerability: XXE Injection
Severity: Critical
Date: 2020-05-07
What Undercode Say:
Exploitation:
- Craft a fake JIRA endpoint returning malicious XML:
<?xml version="1.0"?> <!DOCTYPE exploit [bash]> <rss> <item> <>&xxe;</> </item> </rss>
- Embed the JIRA macro in a user profile with the malicious URL.
Detection:
Check for unpatched JIRA macro versions:
grep -r "jira-macro" /path/to/xwiki/extensions | grep -v "8.6.5"
Protection:
1. Upgrade to JIRA Extension v8.6.5+:
xwiki-extension-manager update org.xwiki.contrib.jira:jira-macro
2. Disable external entity processing in XML parsers:
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
Analytics:
- Affected systems: XWiki instances with JIRA macro enabled.
- Attack vector: Authenticated XXE via macro misuse.
- Mitigation urgency: Immediate upgrade required.
References:
References:
Reported By: https://github.com/advisories/GHSA-wc53-4255-gw3f
Extra Source Hub:
Undercode
