CVE-2023-49110

XML External Entity Injection in Kiuwan SAST

Description

When the Kiuwan Local Analyzer uploads the scan results to the Kiuwan SAST web application (either on-premises or cloud/SaaS solution), the transmitted data consists of a ZIP archive containing several files, some of them in the XML file format. During Kiuwan's server-side processing of these XML files, it resolves external XML entities, resulting in a XML external entity injection attack. An attacker with privileges to scan source code within the "Code Security" module is able to extract any files of the operating system with the rights of the application server user and is potentially able to gain sensitive files, such as configuration and passwords. Furthermore, this vulnerability also allows an attacker to initiate connections to internal systems, e.g. for port scans or accessing other internal functions / applications such as the Wildfly admin console of Kiuwan. This issue affects Kiuwan SAST: <master.1808.p685.q13371

Remediation

Solution:

  • The vendor provides a patched version master.1808.p685.q13371 which should be installed immediately. See the changelog from the vendor: https://www.kiuwan.com/docs/display/K5/%5B2024-05-30%5D+Change+Log * XML External Entity Injection => CVE-2023-49110 is SAS-6851 fixed on release 2024-02-06 * Services Running as Root => is SAS-6856 and SAS-6857 fixed on release 2024-05-15 * Reflected Cross-site-scripting => CVE-2023-49111 is SAS-6852 fixed on release 2024-02-06 * Insecure Direct Object Reference => CVE-2023-49112 is SAS-6853 fixed on release 2024-02-06 * Sensitive Data Stored Insecurely => CVE-2023-49113 is SAS-6854, SAS-6855, SAS-6858, and SAS-6859 fixed on release 2024-02-06 The following upgrade guide was provided by the vendor: https://www.kiuwan.com/docs/display/K5/Kiuwan+On-Premises+Distributed+Upgrade+Guide Although initially communicated otherwise during responsible disclosure in 2022-2023 (see timeline above), the vendor confirmed in 2024 that the SaaS/cloud version is affected and will also be patched. The patch date was 2024-02-05, version 2.8.2402.3. SEC Consult also submitted further security issues to Kiuwan, such as Docker-related configuration issues which were also fixed during our responsible disclosure. * Sensitive Data Stored Insecurely for MySQL * Sensitive Data displayed for wildfly * Containers Running as root User * Containers running in the host network * Exposure of Internal Services

Category

7.2
CVSS
Severity: High
CVSS 3.1 •
EPSS 0.18%
Third-Party Advisory sec-consult.com
Affected: Kiuwan SAST
Published at:
Updated at:

References

Link Tags
https://r.sec-consult.com/kiuwan third party advisory
https://www.kiuwan.com/docs/display/K5/%5B2024-05-30%5D+Change+Log release notes

Frequently Asked Questions

What is the severity of CVE-2023-49110?
CVE-2023-49110 has been scored as a high severity vulnerability.
How to fix CVE-2023-49110?
To fix CVE-2023-49110: The vendor provides a patched version master.1808.p685.q13371 which should be installed immediately. See the changelog from the vendor: https://www.kiuwan.com/docs/display/K5/%5B2024-05-30%5D+Change+Log * XML External Entity Injection => CVE-2023-49110 is SAS-6851 fixed on release 2024-02-06 * Services Running as Root => is SAS-6856 and SAS-6857 fixed on release 2024-05-15 * Reflected Cross-site-scripting => CVE-2023-49111 is SAS-6852 fixed on release 2024-02-06 * Insecure Direct Object Reference => CVE-2023-49112 is SAS-6853 fixed on release 2024-02-06 * Sensitive Data Stored Insecurely => CVE-2023-49113 is SAS-6854, SAS-6855, SAS-6858, and SAS-6859 fixed on release 2024-02-06 The following upgrade guide was provided by the vendor: https://www.kiuwan.com/docs/display/K5/Kiuwan+On-Premises+Distributed+Upgrade+Guide Although initially communicated otherwise during responsible disclosure in 2022-2023 (see timeline above), the vendor confirmed in 2024 that the SaaS/cloud version is affected and will also be patched. The patch date was 2024-02-05, version 2.8.2402.3. SEC Consult also submitted further security issues to Kiuwan, such as Docker-related configuration issues which were also fixed during our responsible disclosure. * Sensitive Data Stored Insecurely for MySQL * Sensitive Data displayed for wildfly * Containers Running as root User * Containers running in the host network * Exposure of Internal Services
Is CVE-2023-49110 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2023-49110 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-49110?
CVE-2023-49110 affects Kiuwan SAST.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.