Login Sign Up

CVE-2021-38555

9.1 CRITICAL
XXE

📋 TL;DR

This XXE vulnerability in Any23 allows attackers to read arbitrary files from the server filesystem and potentially access internal systems. It affects Any23 versions before 2.5 when processing untrusted XML input. Organizations using vulnerable Any23 versions for XML parsing are at risk.

💻 Affected Systems

Products:
  • Apache Any23
Versions: All versions < 2.5
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists in StreamUtils.java when processing XML with external entity references enabled.

📦 What is this software?

Any23 by Apache

View all CVEs affecting Any23 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise including sensitive file disclosure, internal network reconnaissance, and potential remote code execution via XXE-based attacks.

🟠

Likely Case

Unauthorized file system access leading to credential theft, configuration exposure, and potential data exfiltration.

🟢

If Mitigated

Limited impact with proper XML parser configuration and input validation, potentially only causing denial of service.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

XXE exploitation is well-documented with many public tools available. Attack requires XML input processing.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.5

Vendor Advisory: https://lists.apache.org/thread.html/r589d1a9f94dbeee7a0f5dbe8513a0e300dfe669bd964ba2fbfe28e07%40%3Cannounce.apache.org%3E

Restart Required: Yes

Instructions:

1. Download Any23 version 2.5 or later from Apache. 2. Replace existing Any23 installation. 3. Restart any services using Any23. 4. Verify XML processing functionality.

🔧 Temporary Workarounds

Disable XXE in XML parser

all

Configure XML parser to disable external entity processing

Set XML parser properties: FEATURE_SECURE_PROCESSING=true, disallow-doctype-decl=true

Input validation and sanitization

all

Validate and sanitize XML input before processing

Implement XML schema validation
Use whitelist for allowed XML elements

🧯 If You Can't Patch

  • Implement network segmentation to isolate Any23 instances from sensitive systems
  • Deploy web application firewall with XXE protection rules

🔍 How to Verify

Check if Vulnerable:

Check Any23 version: java -jar any23-cli.jar --version or examine pom.xml for version < 2.5

Check Version:

java -jar any23-cli.jar --version

Verify Fix Applied:

Confirm version is 2.5 or higher and test XML processing with XXE payloads

📡 Detection & Monitoring

Log Indicators:

  • Unusual file access patterns
  • Large XML payloads with external entity references
  • Failed XML parsing attempts

Network Indicators:

  • HTTP requests with XML containing SYSTEM or PUBLIC declarations
  • Outbound connections to unexpected internal IPs from Any23 process

SIEM Query:

source="any23.log" AND ("SYSTEM" OR "PUBLIC" OR "ENTITY")

📊 Metadata

CVE ID: CVE-2021-38555
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CWE: CWE-611
Published: September 11, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-38555, you might also want to check these:

CVE-2022-22486 10.0

This CVE describes an XML External Entity (XXE) vulnerability in IBM Tivoli Workload Scheduler that ...

Same vulnerability type (CWE-611)
CVE-2025-30220 9.9

This XXE vulnerability in GeoServer's GeoTools Schema class allows attackers to read arbitrary files...

Same vulnerability type (CWE-611)
CVE-2023-27874 9.9

IBM Aspera Faspex 4.4.2 contains an XML external entity injection (XXE) vulnerability that allows au...

Same vulnerability type (CWE-611)