Vulnerabilities > CVE-2019-18213 - XML Injection (aka Blind XPath Injection) vulnerability in multiple products

CVSS 6.5 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

SINGLE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

low complexity

xml-language-server-project

eclipse

theia-xml-extension-project

CWE-91

NVD

Published: 2019-10-23

Updated: 2021-07-21

Summary

XML Language Server (aka lsp4xml) before 0.9.1, as used in Red Hat XML Language Support (aka vscode-xml) before 0.9.1 for Visual Studio and other products, allows XXE via a crafted XML document, with resultant SSRF (as well as SMB connection initiation that can lead to NetNTLM challenge/response capture for password cracking). This occurs in extensions/contentmodel/participants/diagnostics/LSPXMLParserConfiguration.java.

Vulnerable Configurations

Part	Description	Count
Application	Xml_Language_Server_Project XML Language Server Project XML Server Project - XML Language Server Project XML Server Project 0.0.1 XML Language Server Project XML Server Project 0.0.2 XML Language Server Project XML Server Project 0.3.0 XML Language Server Project XML Server Project 0.4.0 XML Language Server Project XML Server Project 0.5.0 XML Language Server Project XML Server Project 0.5.1 XML Language Server Project XML Server Project 0.6.0 XML Language Server Project XML Server Project 0.7.0 XML Language Server Project XML Server Project 0.8.0 XML Language Server Project XML Server Project 0.9.0	11
Application	Eclipse Eclipse Wild WEB Developer -	1
Application	Theia_Xml_Extension_Project Theia XML Extension Project Theia XML Extension -	1

Common Weakness Enumeration (CWE)

CWE-91 - XML Injection (aka Blind XPath Injection)

Common Attack Pattern Enumeration and Classification (CAPEC)

XML Injection
An attacker utilizes crafted XML user-controllable input to probe, attack, and inject data into the XML database, using techniques similar to SQL injection. The user-controllable input can allow for unauthorized viewing of data, bypassing authentication or the front-end application for direct XML database access, and possibly altering database information.
XPath Injection
An attacker can craft special user-controllable input consisting of XPath expressions to inject the XML database and bypass authentication or glean information that he normally would not be able to. XPath Injection enables an attacker to talk directly to the XML database, thus bypassing the application completely. XPath Injection results from the failure of an application to properly sanitize input used as part of dynamic XPath expressions used to query an XML database. In order to successfully inject XML and retrieve information from a database, an attacker:

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

References