Login Sign Up

CVE-2019-7442

9.8 CRITICAL
Authentication Bypass XXE

📋 TL;DR

This XXE vulnerability in CyberArk Password Vault Web Access allows attackers to read arbitrary files from the server or potentially bypass authentication by exploiting the SAML authentication system. It affects CyberArk Enterprise Password Vault versions 10.7 and earlier. Remote attackers can exploit this without authentication.

💻 Affected Systems

Products:
  • CyberArk Enterprise Password Vault
Versions: <=10.7
Operating Systems: All supported platforms
Default Config Vulnerable: ⚠️ Yes
Notes: Specifically affects the Password Vault Web Access (PVWA) component using SAML authentication.

📦 What is this software?

Enterprise Password Vault by Cyberark

View all CVEs affecting Enterprise Password Vault →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the password vault with credential theft, privilege escalation, and potential lateral movement across the network.

🟠

Likely Case

Unauthorized access to sensitive files containing credentials, configuration data, or authentication bypass leading to privilege escalation.

🟢

If Mitigated

Limited impact with proper network segmentation, file system permissions, and external entity processing disabled.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit code exists showing file read capabilities. Authentication bypass potential mentioned but not fully demonstrated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.8 and later

Vendor Advisory: https://www.cyberark.com/resources/threat-research-blog/cyberark-password-vault-web-access-xxe-vulnerability

Restart Required: Yes

Instructions:

1. Upgrade to CyberArk Enterprise Password Vault version 10.8 or later. 2. Apply all security patches from CyberArk. 3. Restart the PVWA service after upgrade.

🔧 Temporary Workarounds

Disable external entity processing

all

Configure XML parser to disable external entity resolution

Set XML parser properties: FEATURE_SECURE_PROCESSING = true, DISALLOW_DOCTYPE_DECL = true

Network segmentation

all

Restrict access to PVWA interface

Firewall rules to limit PVWA access to trusted IPs only

🧯 If You Can't Patch

  • Implement strict network access controls to limit PVWA exposure
  • Monitor for unusual XML parsing activity and file access patterns

🔍 How to Verify

Check if Vulnerable:

Check CyberArk version via PVWA interface or installation directory. Versions <=10.7 are vulnerable.

Check Version:

Check PVWA web interface or installation logs for version information

Verify Fix Applied:

Verify version is 10.8 or later and test XML parsing with external entities disabled.

📡 Detection & Monitoring

Log Indicators:

  • Unusual XML parsing errors
  • File access attempts via XML entities
  • SAML authentication failures with malformed XML

Network Indicators:

  • HTTP requests with XML containing external entity references
  • Outbound connections from PVWA to internal file shares

SIEM Query:

source="pvwa" AND (xml OR xxe OR "DOCTYPE" OR "ENTITY")

📊 Metadata

CVE ID: CVE-2019-7442
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-611
Published: May 8, 2019
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-7442, you might also want to check these:

CVE-2019-14678 10.0

SAS XML Mapper 9.45 has an XML External Entity (XXE) vulnerability that allows attackers to read loc...

Same vulnerability type (CWE-611)
CVE-2022-22486 10.0

This CVE describes an XML External Entity (XXE) vulnerability in IBM Tivoli Workload Scheduler that ...

Same vulnerability type (CWE-611)
CVE-2018-18406 9.9

This is a blind XML External Entity (XXE) vulnerability in Tufin SecureTrack's Audit Report module t...

Same vulnerability type (CWE-611)