CVE-2018-20000

Vulnerability

Apereo Bedework bw-webdav versions prior to 4.0.3 are vulnerable to XML External Entity (XXE) injection attacks. The flaw resides in the webdav/servlet/common/MethodBase.java and webdav/servlet/common/PostRequestPars.java files, which do not safely disable XML external entity processing. An attacker can exploit this by submitting a specially crafted invite-reply document that includes external entity declarations. The vulnerable versions are >= 4.0.1, < 4.0.3 [1][4].

Exploitation

An attacker does not need prior authentication; they can send a malicious XML document (e.g., an invite-reply) to the WebDAV endpoint. The attacker’s XML payload references an external entity pointing to a local file on the server. When the server parses this XML without secure processing, it resolves the entity and includes the file’s content in the response or error output. No special privileges or user interaction beyond submitting the document is required [1][3].

Impact

Successful exploitation leads to information disclosure. The attacker can read arbitrary files from the filesystem of the server hosting bw-webdav, such as configuration files containing credentials or other sensitive data. The compromise is limited to file read; remote code execution or denial of service are not directly achievable through this XXE vector alone [1][4].

Mitigation

The vulnerability is fixed in version 4.0.3, released on or before December 10, 2018. The fix ensures both MethodBase and PostRequestPars use secure XML parsing settings to disable external entity resolution [2][3]. Upgrading to bw-webdav version 4.0.3 or later is the recommended mitigation. No workarounds are documented; applying the patch as soon as possible is advised [4].