CVE-2018-20318

Vulnerability

The vulnerability resides in the getXmlDoc method of BaseWxPayResult.java in weixin-java-tools v3.2.0. The method creates an XML parser without disabling external entity processing, leading to an XML External Entity (XXE) vulnerability [1]. This code path is reachable when the application processes XML data from WeChat payment results, which are typically supplied by an external source.

Exploitation

An attacker can exploit this by crafting a malicious XML payload containing an external entity that references a local file (e.g., file:///etc/passwd) or an external URL. The attacker does not need authentication if they can control the XML input, for example by intercepting or spoofing a payment notification. The XML parser will resolve the external entity, allowing the attacker to read sensitive files or perform Server-Side Request Forgery (SSRF) [1].

Impact

Successful exploitation enables an attacker to read arbitrary files from the server's filesystem, potentially exposing configuration files, credentials, or other sensitive data. Additionally, SSRF attacks can be used to probe internal network resources, leading to further compromise [1].

Mitigation

As of the publication date, the issue was reported to the maintainers via GitHub [1]. Users should upgrade to a patched version once available. As a workaround, developers can manually disable external entity processing in the XML parser configuration (e.g., by setting DocumentBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true)). No fixed version is explicitly mentioned in the reference, so users should monitor the repository for updates [1].