Login Sign Up

CVE-2019-14277

9.8 CRITICAL
Remote Code Execution SSRF XXE

📋 TL;DR

CVE-2019-14277 is an unauthenticated XML injection vulnerability in Axway SecureTransport's resetPassword REST API functionality. It allows attackers to perform XXE attacks leading to local file disclosure, denial of service, or SSRF attacks that could result in remote code execution. Affected systems include Axway SecureTransport versions 5.x through 5.3 (or 5.x through 5.5 with certain API configurations).

💻 Affected Systems

Products:
  • Axway SecureTransport
Versions: 5.x through 5.3 (or 5.x through 5.5 with certain API configurations)
Operating Systems: All platforms running SecureTransport
Default Config Vulnerable: ⚠️ Yes
Notes: Vendor disputes the severity, claiming external entity attacks are blocked, but multiple independent researchers have confirmed exploitability.

📦 What is this software?

Securetransport by Axway

View all CVEs affecting Securetransport →

Securetransport by Axway

View all CVEs affecting Securetransport →

Securetransport by Axway

View all CVEs affecting Securetransport →

Securetransport by Axway

View all CVEs affecting Securetransport →

Securetransport by Axway

View all CVEs affecting Securetransport →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution via SSRF leading to complete system compromise, data exfiltration, and lateral movement within the network.

🟠

Likely Case

Local file disclosure of sensitive system files, configuration files, or credentials stored on the server.

🟢

If Mitigated

Denial of service through XML parsing resource exhaustion or limited information disclosure.

🌐 Internet-Facing: HIGH - The vulnerability is unauthenticated and exploitable via REST API, making internet-facing instances extremely vulnerable.
🏢 Internal Only: HIGH - Even internally, the unauthenticated nature makes it easily exploitable by any internal attacker.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Multiple public exploit scripts available, including on Exploit-DB and GitHub. The vulnerability requires no authentication and has simple XML payloads.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: SecureTransport 5.3.9 and later, or 5.5.2 and later

Vendor Advisory: https://community.axway.com/s/article/SecureTransport-Security-Notice-re-CVE-2019-14277-Unauthenticated-XML-Injection-and-XXE

Restart Required: Yes

Instructions:

1. Download the latest SecureTransport patch from Axway support portal. 2. Apply the patch according to Axway documentation. 3. Restart SecureTransport services. 4. Verify the fix by testing the resetPassword endpoint.

🔧 Temporary Workarounds

Disable resetPassword REST API endpoint

all

Temporarily disable the vulnerable resetPassword functionality in the REST API configuration

Modify SecureTransport configuration to remove or disable resetPassword endpoint access

Network segmentation and access control

linux

Restrict access to SecureTransport REST API endpoints using firewall rules

iptables -A INPUT -p tcp --dport [SecureTransport_PORT] -s [TRUSTED_IPS] -j ACCEPT
iptables -A INPUT -p tcp --dport [SecureTransport_PORT] -j DROP

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate SecureTransport instances from sensitive systems
  • Deploy web application firewall (WAF) with XXE protection rules to block malicious XML payloads

🔍 How to Verify

Check if Vulnerable:

Test the resetPassword REST API endpoint with a simple XXE payload to see if it returns system files or causes parsing errors.

Check Version:

Check SecureTransport version via admin interface or configuration files

Verify Fix Applied:

Attempt the same XXE payload after patching; it should be rejected or return an error without disclosing information.

📡 Detection & Monitoring

Log Indicators:

  • Unusual XML parsing errors in SecureTransport logs
  • Multiple failed resetPassword attempts with XML payloads
  • Requests to internal file paths from resetPassword endpoint

Network Indicators:

  • HTTP POST requests to /api/v1.0/users/resetPassword with XML content
  • Outbound connections from SecureTransport server to unexpected internal systems

SIEM Query:

source="securetransport" AND (uri_path="/api/v1.0/users/resetPassword" AND (content="<!ENTITY" OR content="SYSTEM" OR content="file://"))

📊 Metadata

CVE ID: CVE-2019-14277
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-91
Published: July 26, 2019
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-14277, you might also want to check these:

CVE-2013-4857 9.8

This vulnerability in D-Link DIR-865L routers allows remote attackers to execute arbitrary PHP code ...

Same vulnerability type (CWE-91)
CVE-2019-8158 9.8

This vulnerability allows attackers to perform XPath entity injection via crafted GET requests to Ma...

Same vulnerability type (CWE-91)
CVE-2019-16941 9.8

CVE-2019-16941 allows arbitrary code execution in NSA Ghidra when experimental mode is enabled and a...

Same vulnerability type (CWE-91)