CVE-2018-1000836

Vulnerability

An XML External Entity (XXE) vulnerability exists in the bw-calendar-engine library, affecting versions up to and including bw-calendar-engine-3.12.0 (and <= 3.12.2 per the advisory [3]). The flaw resides in the IscheduleClient.java file, specifically within the org.bedework.calsvc.scheduling.hosts package. The XML parser is insecurely configured, allowing external entity resolution when processing user-supplied XML content [1][4]. The vulnerable code path retrieves XML from an InputSource wrapping an InputStreamReader, as shown at line 422 of the source [4].

Exploitation

An attacker can exploit this vulnerability by performing a Man-in-the-Middle (MitM) attack or by controlling a malicious server that the application contacts [1][4]. The attacker supplies crafted XML input containing references to external entities. The insecure parser processes these entities without proper validation, enabling the attack without requiring authentication or user interaction [4].

Impact

Successful exploitation can lead to disclosure of confidential data (e.g., file contents via file:// entities), denial of service (DoS), server-side request forgery (SSRF), and port scanning from the machine hosting the parser [1][4]. The attacker can achieve these outcomes by leveraging the XXE to interact with internal resources or exhaust system resources.

Mitigation

According to the GitHub Advisory Database, the affected versions are <= 3.12.2, and a fix may be available in newer releases [3]. Users should upgrade to a patched version of bw-calendar-engine that disables XML external entity processing by default. If upgrading is not immediately possible, as a workaround, ensure that the XML parser is configured securely to reject external entities. No official patch was explicitly mentioned in the references; the vulnerability was reported and disclosed in October 2018 [4].