CVE-2020-10990
📋 TL;DR
CVE-2020-10990 is an XML External Entity (XXE) vulnerability in Accenture Mercury's SimpleXmlParser component that allows attackers to read arbitrary files from the server filesystem or conduct server-side request forgery attacks. This affects all Mercury deployments using versions before 1.12.28. The vulnerability is particularly dangerous because it can be exploited remotely without authentication.
💻 Affected Systems
- Accenture Mercury
📦 What is this software?
Mercury by Accenture
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise including sensitive file disclosure (passwords, configuration files), server-side request forgery to internal systems, and potential remote code execution through file inclusion.
Likely Case
Arbitrary file read from the server filesystem, potentially exposing sensitive configuration files, credentials, or application source code.
If Mitigated
Limited impact with proper network segmentation, file system permissions, and input validation controls in place.
🎯 Exploit Status
The vulnerability is in a widely used XML parsing component and can be exploited with standard XXE payloads. Public references and commit details are available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.12.28 and later
Vendor Advisory: https://github.com/Accenture/mercury/commit/f647a01347485d2afe3a0b735eab3d0121d61f46
Restart Required: Yes
Instructions:
1. Update Mercury to version 1.12.28 or later. 2. Replace the vulnerable SimpleXmlParser.java component. 3. Restart the Mercury application server. 4. Verify the fix by checking the version and testing XML processing.
🔧 Temporary Workarounds
Disable XXE processing
allConfigure XML parsers to disable external entity processing
Set XML parser properties: FEATURE_SECURE_PROCESSING=true, DISALLOW_DOCTYPE_DECL=true
Input validation filtering
allFilter or block XML input containing DOCTYPE declarations or external entity references
Implement input validation to reject XML with DOCTYPE or SYSTEM entities
🧯 If You Can't Patch
- Implement network segmentation to isolate Mercury instances from sensitive internal systems
- Deploy web application firewall (WAF) rules to block XXE payloads and monitor for exploitation attempts
🔍 How to Verify
Check if Vulnerable:
Check Mercury version: if version < 1.12.28, system is vulnerable. Test XML processing with XXE payloads.Check Version:
Check Mercury application configuration or deployment manifest for version informationVerify Fix Applied:
Verify version is 1.12.28 or later. Test XML processing with XXE payloads to confirm they are rejected.📡 Detection & Monitoring
Log Indicators:
- XML parsing errors
- File access attempts via XML parsing
- Unusual file system access patterns
Network Indicators:
- XML payloads containing DOCTYPE or SYSTEM entities
- Outbound requests from server to internal systems triggered by XML input
SIEM Query:
source="mercury.log" AND ("DOCTYPE" OR "SYSTEM" OR "ENTITY")