CVE-2018-1000854

Vulnerability

EsiGate versions 5.2 and earlier contain a CWE-74 injection vulnerability in the ESI esi:include directive when the stylesheet attribute is used to specify a remote XSLT. The parser does not properly neutralize special elements, allowing an attacker to supply a malicious XSLT file that triggers code execution. The vulnerable package is org.esigate:esigate-core [1][3][4].

Exploitation

An attacker must exploit another weakness in the backend application to reflect ESI directives, making the EsiGate server include a malicious XSLT stylesheet. The attacker needs the ability to control the XSLT resource URL or content. No authentication is required if the backend application is already compromised or injectable [1][4].

Impact

Successful exploitation results in remote code execution on the server hosting EsiGate. The attacker can achieve full compromise of the affected system, gaining the same privileges as the EsiGate process [1][3].

Mitigation

The vulnerability is fixed in EsiGate version 5.3 [1][3]. The fix switches the XSLT parser to secure mode to prevent execution of malicious commands inserted in stylesheets [4]. Users should upgrade to version 5.3 or later. No workaround is documented. This CVE is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.