CVE-2024-55875: XXE(XML External Entity Injection) vulnerability
Severity: HIGH
December 12, 2024
Description
There is a XXE(XML External Entity Injection) vulnerability when http4k handling malicious XML contents within requests, which might allow attackers to read local sensitive information on server, trigger Server-side Request Forgery and even execute code under some circumstances.
Affected http4k modules & versions
http4k-format-xml- 5.40.0.0 and below
- 4.49.0.0 and below
Mitigation
Users of affected versions should upgrade to the corresponding fixed version as below. http4k EE subscribers can access the fixed LTS versions through the dedicated http4k Maven instance. For more details about the http4k EE LTS versions, please contact http4k enterprise support
| Version | Fixed Version | Availability |
|---|---|---|
| <= 5.40.0.0 | 5.41.0.0 | Community & Enterprise Support |
| <= 4.49.0.0 | 4.50.0.0 | Enterprise Support Only |
Older, unsupported versions are also affected.
Resolution timeline
| Date/time | Notes |
|---|---|
| 12/12/2024 0949 | Advisory opened by @JAckLosingHeart |
| 12/12/2024 1004 | Advisory accepted and private fork created |
| 12/12/2024 1015 | Issue recreated on private fork with failing test. |
| 12/12/2024 1056 | PR raised on private fork with fix and request for review |
| 12/12/2024 1226 | PR review and accepted |
| 12/12/2024 1235 | PR merged |
| 12/12/2024 1243 | CVE requested from GitHub |
| 12/12/2024 1502 | CVE number CVE-2024-55875 assigned |
| 12/12/2024 1530 | Patch applied to http4k-LTS-v4, and http4k EE LTS v4.50.0.0 released to LTS Maven repo |
| 12/12/2024 1611 | http4k CE v5.41.0.0 released & available in Maven Central |
| 12/12/2024 1613 | Public disclosure |
References
- Full GitHub Advisory: https://github.com/http4k/http4k/security/advisories/GHSA-7mj5-hjjj-8rgw
- NIST CVE Registry: https://nvd.nist.gov/vuln/detail/CVE-2024-55875