CVE-2018-1000829 – This CVE describes an XML External Entity (XXE)... (How to Fix)

Q: What is the severity of CVE-2018-1000829?

CVE-2018-1000829 has a CVSS score of 9.0 (CRITICAL). This CVE describes an XML External Entity (XXE) vulnerability in Anyplace software versions before commit 80359b4. Attackers can exploit this via man-in-the-middle attacks on map API calls to read sensitive files, cause denial of service, perform SSRF attacks, or scan internal network ports. Any organization using vulnerable Anyplace versions is affected.

📋 TL;DR

This CVE describes an XML External Entity (XXE) vulnerability in Anyplace software versions before commit 80359b4. Attackers can exploit this via man-in-the-middle attacks on map API calls to read sensitive files, cause denial of service, perform SSRF attacks, or scan internal network ports. Any organization using vulnerable Anyplace versions is affected.

💻 Affected Systems

Products:

Anyplace

Versions: All versions before commit 80359b4

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in map API calls and requires man-in-the-middle positioning to exploit.

📦 What is this software?

Anyplace by Anyplace Project

View all CVEs affecting Anyplace →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through SSRF leading to internal network access, sensitive data exfiltration, and persistent backdoor installation.

🟠

Likely Case

Disclosure of server-side files (including configuration files with credentials), denial of service through resource exhaustion, and internal port scanning.

🟢

If Mitigated

Limited impact with proper network segmentation, XML parsing restrictions, and input validation in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires man-in-the-middle position but no authentication. Public proof-of-concept exists in the referenced 0dd.zone article.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Commit 80359b4 and later

Vendor Advisory: https://github.com/dmsl/anyplace/issues/263

Restart Required: Yes

Instructions:

1. Update Anyplace to commit 80359b4 or later. 2. Restart the Anyplace service. 3. Verify the fix by checking the commit hash.

🔧 Temporary Workarounds

Disable External Entity Processing

all

Configure XML parser to disable external entity processing

Set XML parser properties: FEATURE_SECURE_PROCESSING=true, disallow-doctype-decl=true

Network Segmentation

all

Isolate Anyplace servers from sensitive internal networks

🧯 If You Can't Patch

Implement strict network controls to prevent man-in-the-middle attacks on map API traffic
Deploy WAF with XXE protection rules and monitor for XML parsing anomalies

🔍 How to Verify

Check if Vulnerable:

Check if Anyplace version is before commit 80359b4 by examining the git commit history or version metadata

Check Version:

git log --oneline -1

Verify Fix Applied:

Confirm the installation is at commit 80359b4 or later using git log or version check

📡 Detection & Monitoring

Log Indicators:

Unusual XML parsing errors
Large XML payloads in map API requests
External entity references in XML

Network Indicators:

XML payloads with DOCTYPE declarations
HTTP requests to map API endpoints with unusual XML content

SIEM Query:

source="anyplace.log" AND ("DOCTYPE" OR "ENTITY" OR "SYSTEM")

📊 Metadata

CVE ID: CVE-2018-1000829

CVSS v3 Score: 9.0 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-611

Published: December 20, 2018

Last Updated: November 21, 2024

🔗 References

https://0dd.zone/2018/10/28/anyplace-XXE-MitM/ Third Party Advisory
https://github.com/dmsl/anyplace/issues/263 Third Party Advisory
https://0dd.zone/2018/10/28/anyplace-XXE-MitM/ Third Party Advisory
https://github.com/dmsl/anyplace/issues/263 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-1000829, you might also want to check these: