XML External Entity Reference on 52North WPS

Vulnerability

CVE-2023-6280 is an XML External Entity (XXE) vulnerability in the WebProcessingService servlet of 52North WPS versions prior to 4.0.0-beta.11. The product is at the end of its life cycle [1]. The servlet processes XML input without disabling external entity resolution, allowing an attacker to inject a malicious XML payload that references external entities.

Exploitation

An unauthenticated attacker can send a crafted XML request to the WebProcessingService endpoint. No privileged access or user interaction is required. By including an external entity definition pointing to a local file (e.g., file:///etc/passwd) or an internal HTTP resource, the server will resolve the entity and include its contents in the response. The CVSS v3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L) confirms the attack is network-based with low complexity [1].

Impact

Successful exploitation allows the attacker to read arbitrary files from the server's file system and to make HTTP requests to internal network hosts, potentially enumerating services or extracting sensitive information. The impact is limited in terms of direct data loss (confidentiality) but can serve as a foothold for further attacks. The product is end-of-life, so no security updates are available [1].

Mitigation

52North WPS is end-of-life, and no patched version exists [1]. Users should migrate to an alternative WPS implementation that is actively maintained. If migration is not immediately possible, network segmentation and strict input validation on the WebProcessingService endpoint may reduce risk, but these are not a complete fix. No official fix or workaround is provided by the vendor.