Login Sign Up

CVE-2018-1000822

10.0 CRITICAL
Denial of Service SSRF XXE

📋 TL;DR

This XXE vulnerability in codelibs fess allows attackers to read sensitive files, cause denial of service, perform SSRF attacks, and scan internal network ports by uploading specially crafted GSA XML files. It affects all fess installations before commit faa265b that process GSA XML files. Users of vulnerable fess versions are at risk of data exposure and system compromise.

💻 Affected Systems

Products:
  • codelibs fess
Versions: All versions before commit faa265b
Operating Systems: All platforms running fess
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists in the GSA XML file parser component. Any fess installation processing GSA XML files is vulnerable.

📦 What is this software?

Fess by Codelibs

View all CVEs affecting Fess →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise including reading sensitive files like /etc/passwd, performing SSRF attacks against internal services, port scanning internal networks, and causing denial of service through resource exhaustion.

🟠

Likely Case

Data exfiltration of sensitive configuration files and internal service enumeration through SSRF attacks.

🟢

If Mitigated

Limited impact if XML parsing is disabled or proper input validation is implemented.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires ability to upload or process GSA XML files. Public proof-of-concept exists demonstrating file read capabilities.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Commit faa265b and later

Vendor Advisory: https://github.com/codelibs/fess/issues/1851

Restart Required: Yes

Instructions:

1. Update fess to commit faa265b or later. 2. Pull latest changes from repository. 3. Rebuild and redeploy fess. 4. Restart fess service.

🔧 Temporary Workarounds

Disable GSA XML file processing

all

Temporarily disable processing of GSA XML files until patch can be applied

Modify fess configuration to disable GSA XML parser

Implement XML input validation

all

Configure XML parser to disable external entity processing

Set XML parser properties: FEATURE_SECURE_PROCESSING=true, disallow-doctype-decl=true

🧯 If You Can't Patch

  • Implement strict input validation for all XML files
  • Deploy network segmentation to limit fess server access to internal networks

🔍 How to Verify

Check if Vulnerable:

Check fess commit hash or version. If before faa265b, test with XXE payload in GSA XML file.

Check Version:

Check fess version in admin interface or review git commit history

Verify Fix Applied:

Verify fess is running commit faa265b or later. Test with known XXE payloads to confirm they are blocked.

📡 Detection & Monitoring

Log Indicators:

  • Unusual XML parsing errors
  • Large XML file uploads
  • Requests to internal resources from fess server

Network Indicators:

  • Outbound connections from fess server to internal services
  • Unusual file read patterns

SIEM Query:

source="fess" AND ("XML" OR "GSA") AND (error OR exception)

📊 Metadata

CVE ID: CVE-2018-1000822
CVSS v3 Score: 10.0 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-611
Published: December 20, 2018
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-1000822, you might also want to check these:

CVE-2018-1000820 10.0

This CVE describes an XML External Entity (XXE) vulnerability in neo4j-contrib's APOC procedures lib...

Same vulnerability type (CWE-611)
CVE-2019-14678 10.0

SAS XML Mapper 9.45 has an XML External Entity (XXE) vulnerability that allows attackers to read loc...

Same vulnerability type (CWE-611)
CVE-2015-9280 10.0

CVE-2015-9280 is an XML External Entity (XXE) vulnerability in MailEnable email server software. It ...

Same vulnerability type (CWE-611)