Jolokia XML External Entity

high Web App Scanning Plugin ID 113199

Language:

Synopsis

Jolokia XML External Entity

Description

Jolokia is a JMX-HTTP bridge giving an alternative to JSR-160 connectors. Jolokia includes a reloadByURL action (provided by the Logback library), that allows an attacker to reload the logging config from an external URL resulting in a XML External Entity (XXE) vulnerability.

Solution

If the jolokia endpoint is not needed it should be disabled. If the jolokia endpoint is required it should be secured using Spring Security.

See Also

https://www.veracode.com/blog/research/exploiting-spring-boot-actuators

Plugin Details

Severity: High

ID: 113199

Type: remote

Family: Component Vulnerability

Published: 3/24/2022

Updated: 3/13/2023

Scan Template: api, basic, full, pci, scan

Risk Information

VPR

Risk Factor: Medium

Score: 4.2

CVSS v2

Risk Factor: High

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: Tenable

CVSS v3

Risk Factor: High

Base Score: 7.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CVSS Score Source: Tenable

Vulnerability Information

CPE: cpe:2.3:a:jolokia:jolokia:*:*:*:*:*:*:*:*

Reference Information

CWE: 611

OWASP: 2010-A1, 2013-A1, 2013-A9, 2017-A4, 2017-A9, 2021-A5, 2021-A6

WASC: XML External Entities

CAPEC: 221

DISA STIG: APSC-DV-002550, APSC-DV-002630

HIPAA: 164.306(a)(1), 164.306(a)(2)

ISO: 27001-A.14.2.5

NIST: sp800_53-CM-6b, sp800_53-SI-10

OWASP API: 2019-API7, 2023-API8

OWASP ASVS: 4.0.2-14.2.1, 4.0.2-5.5.2

PCI-DSS: 3.2-6.2, 3.2-6.5.1