CVE-2020-10992

Vulnerability

Azkaban versions up to and including 3.84.0 are vulnerable to XML External Entity (XXE) injection. The flaw resides in the XML parsing logic within validator/XmlValidatorManager.java and user/XmlUserManager.java. These components process XML input without disabling external entity resolution, allowing an attacker to inject malicious XML content. [1]

Exploitation

An attacker can exploit this vulnerability by providing a crafted XML payload to the affected Azkaban components. The attacker does not require authentication if the XML parsing endpoints are exposed to unauthenticated users. The exploitation involves embedding an external entity reference that points to a local file or an external resource, which the XML parser will then attempt to resolve.

Impact

Successful exploitation allows an attacker to read arbitrary files from the server's filesystem (information disclosure) or perform server-side request forgery (SSRF) by making the server issue requests to internal or external systems. The impact is limited to the privileges of the Azkaban process.

Mitigation

The vulnerability affects Azkaban through version 3.84.0. A fix was implemented in a later release; users should upgrade to a patched version. As a workaround, if upgrading is not immediately possible, restrict access to the XML parsing endpoints and ensure that XML external entity processing is disabled in the application's XML parser configuration. [1]