CVE-2022-0272 – This XXE vulnerability in detekt allows attacke... (How to Fix)

Q: What is the severity of CVE-2022-0272?

CVE-2022-0272 has a CVSS score of 9.8 (CRITICAL). This XXE vulnerability in detekt allows attackers to read arbitrary files from the server filesystem or perform server-side request forgery by processing malicious XML files. It affects all users of detekt versions before 1.20.0 who process untrusted XML input.

📋 TL;DR

This XXE vulnerability in detekt allows attackers to read arbitrary files from the server filesystem or perform server-side request forgery by processing malicious XML files. It affects all users of detekt versions before 1.20.0 who process untrusted XML input.

💻 Affected Systems

Products:

detekt static code analysis tool

Versions: All versions prior to 1.20.0

Operating Systems: All platforms running detekt

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerable when processing XML files, particularly from untrusted sources. The vulnerability is in XML parsing functionality.

📦 What is this software?

Detekt by Detekt

View all CVEs affecting Detekt →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise through file disclosure of sensitive data (passwords, keys, config files) leading to lateral movement or data exfiltration.

🟠

Likely Case

Unauthorized file read of sensitive configuration files or source code from the server.

🟢

If Mitigated

Limited impact if XML parsing is restricted to trusted sources only.

🌐 Internet-Facing: HIGH if detekt processes XML from external sources via web interfaces or APIs.

🏢 Internal Only: MEDIUM if XML processing is limited to internal systems with controlled inputs.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires submitting malicious XML to detekt's XML processing functionality. Public proof-of-concept exists in the huntr.dev bounty report.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.20.0 and later

Vendor Advisory: https://github.com/detekt/detekt/commit/c965a8d2a6bbdb9bcfc6acfa7bbffd3da81f5395

Restart Required: No

Instructions:

1. Update detekt to version 1.20.0 or later. 2. For Maven: Update pom.xml dependency to <version>1.20.0</version>. 3. For Gradle: Update build.gradle to implementation 'io.gitlab.arturbosch.detekt:detekt-cli:1.20.0'. 4. Rebuild and redeploy applications using detekt.

🔧 Temporary Workarounds

Disable XXE processing

all

Configure XML parser to disable external entity resolution

Set XML parser properties: FEATURE_SECURE_PROCESSING = true, DISALLOW_DOCTYPE_DECL = true

Input validation

all

Validate and sanitize XML input before processing

Implement XML schema validation or whitelist trusted XML sources

🧯 If You Can't Patch

Restrict XML processing to trusted sources only
Implement network segmentation to isolate detekt instances from sensitive systems

🔍 How to Verify

Check if Vulnerable:

Check detekt version: run 'detekt --version' or check build configuration files for version <1.20.0

Check Version:

detekt --version

Verify Fix Applied:

Confirm version is 1.20.0 or higher and test with known malicious XML payloads

📡 Detection & Monitoring

Log Indicators:

Unusual file access patterns from detekt process
XML parsing errors with external entity references
Large outbound data transfers after XML processing

Network Indicators:

Unexpected outbound connections from detekt to internal file servers or external systems

SIEM Query:

process_name:"detekt" AND (file_access:"/etc/passwd" OR file_access:"/proc/self/environ" OR network_connection:internal_ip)

📊 Metadata

CVE ID: CVE-2022-0272

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-611

Published: April 21, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/detekt/detekt/commit/c965a8d2a6bbdb9bcfc6acfa7bbffd3da81f5395 Patch,Third Party Advisory
https://huntr.dev/bounties/23e37ba7-96d5-4037-a90a-8c8f4a70ce44 Exploit,Patch,Third Party Advisory
https://github.com/detekt/detekt/commit/c965a8d2a6bbdb9bcfc6acfa7bbffd3da81f5395 Patch,Third Party Advisory
https://huntr.dev/bounties/23e37ba7-96d5-4037-a90a-8c8f4a70ce44 Exploit,Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-0272, you might also want to check these: