CVE-2023-45612
📋 TL;DR
This vulnerability in JetBrains Ktor's ContentNegotiation feature with XML format allows attackers to perform XML External Entity (XXE) attacks, potentially leading to sensitive data disclosure, server-side request forgery, or denial of service. It affects applications using Ktor's default XML configuration. Developers using Ktor with XML content negotiation are impacted.
💻 Affected Systems
- JetBrains Ktor
📦 What is this software?
Ktor by Jetbrains
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise allowing data exfiltration, internal network reconnaissance, and potential remote code execution via XXE.
Likely Case
Sensitive file disclosure from the server, denial of service through entity expansion attacks, or internal port scanning.
If Mitigated
Limited impact with proper XML parser hardening, but still potential for denial of service.
🎯 Exploit Status
XXE vulnerabilities are well-understood attack vectors with many existing exploitation techniques. The default vulnerable configuration makes exploitation straightforward.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.3.5
Vendor Advisory: https://www.jetbrains.com/privacy-security/issues-fixed/
Restart Required: Yes
Instructions:
1. Update Ktor dependency to version 2.3.5 or later. 2. Update build.gradle or pom.xml to use the new version. 3. Rebuild and redeploy the application. 4. Restart the application server.
🔧 Temporary Workarounds
Disable XML ContentNegotiation
allRemove or disable XML format from ContentNegotiation configuration
// In Ktor application code, remove or comment out XML configuration:
// install(ContentNegotiation) {
// xml() // Remove this line
// }
Configure Secure XML Parser
allManually configure XML parser with XXE protections enabled
// Configure ContentNegotiation with secure XML settings:
install(ContentNegotiation) {
xml {
setProperty("http://javax.xml.XMLConstants/property/accessExternalDTD", "")
setProperty("http://javax.xml.XMLConstants/property/accessExternalSchema", "")
setFeature("http://xml.org/sax/features/external-general-entities", false)
setFeature("http://xml.org/sax/features/external-parameter-entities", false)
setFeature("http://apache.org/xml/features/disallow-doctype-decl", true)
}
}
🧯 If You Can't Patch
- Implement WAF rules to block XML payloads containing external entity declarations
- Disable XML endpoints entirely if not required for business functionality
🔍 How to Verify
Check if Vulnerable:
Check if Ktor version is below 2.3.5 and application uses ContentNegotiation with XML format enabled.Check Version:
Check build.gradle: implementation("io.ktor:ktor-server-core:VERSION") or check pom.xml for ktor versionVerify Fix Applied:
Verify Ktor version is 2.3.5 or higher in build configuration and deployed application.📡 Detection & Monitoring
Log Indicators:
- XML parsing errors, unusually large XML payloads, requests to internal resources from XML parser
Network Indicators:
- Outbound connections from server to external URLs during XML processing
SIEM Query:
source="application_logs" AND (message="*XML*" OR message="*DTD*" OR message="*ENTITY*") AND (status="ERROR" OR size>1000000)