CVE-2023-49735
📋 TL;DR
This vulnerability in Apache Tiles allows attackers to perform path traversal attacks when user-controlled data is passed to the DefaultLocaleResolver.LOCALE_KEY session attribute. This can lead to server-side request forgery (SSRF) and XML external entity (XXE) attacks by manipulating XML definition file resolution. It affects all Apache Tiles installations from version 2 onward, but only impacts products no longer supported by the maintainer.
💻 Affected Systems
- Apache Tiles
📦 What is this software?
Tiles by Apache
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise via XXE leading to remote code execution, data exfiltration, or internal network reconnaissance via SSRF.
Likely Case
Information disclosure through file read operations, limited SSRF to internal services, or denial of service via resource exhaustion.
If Mitigated
No impact if proper input validation and session attribute sanitization are implemented.
🎯 Exploit Status
Exploitation requires ability to set session attributes and knowledge of the application's XML configuration structure.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: None
Vendor Advisory: https://lists.apache.org/thread/8ktm4vxr6vvc1qsxh6ft8jzmom1zl65p
Restart Required: No
Instructions:
No official patch available since this affects unsupported versions. Consider migrating to supported alternatives or implementing workarounds.
🔧 Temporary Workarounds
Input Validation for Session Attributes
allImplement strict validation and sanitization of any user-controlled data before setting it as the DefaultLocaleResolver.LOCALE_KEY session attribute.
Disable External Entity Processing
allConfigure XML parsers to disable external entity resolution (XXE protection).
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to detect and block path traversal patterns in session attributes.
- Restrict network egress from affected servers to prevent SSRF attacks against internal systems.
🔍 How to Verify
Check if Vulnerable:
Review application code for usage of DefaultLocaleResolver.LOCALE_KEY session attribute with user-controlled data. Check if XML definition file resolution is used.Check Version:
Check Maven/Gradle dependencies or WAR file manifests for Apache Tiles version 2.0+Verify Fix Applied:
Test that user input cannot manipulate file paths through the LOCALE_KEY attribute and that XXE protections are enabled.📡 Detection & Monitoring
Log Indicators:
- Unusual file path patterns in session attributes
- Failed XML parsing attempts with external entity references
- Unexpected outbound HTTP requests from server
Network Indicators:
- HTTP requests to internal services from application server
- DNS requests for unusual domains from server
SIEM Query:
source="application.log" AND ("DefaultLocaleResolver" OR "LOCALE_KEY") AND (".." OR "%2e%2e" OR file:)