SRC-2016-0024 : Oracle Knowledge Management Castor Library XML External Entity Injection Information Disclosure Vulnerability

CVE ID:

CVE-2016-3533

CVSS Score:

4.3, (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Affected Vendors:

Oracle

Affected Products:

Oracle Knowledge Management

Vulnerability Details:

This vulnerability allows remote attackers to disclose arbitrary file contents on vulnerable installations of Oracle Knowledge Management. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the TestClient.jsp script using the inputXml parameter. An attacker could leverage this vulnerability to read the content of arbitrary files from the system.

Vendor Response:

Oracle has issued an update to correct this vulnerability. More details can be found at:
http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html

Disclosure Timeline:

  • 2015-02-10 – Verified and sold to Beyond Security
  • 2016-07-19 – Coordinated public release of advisory

Proof of Concept:

https://github.com/sourceincite/poc/blob/master/SRC-2016-0024.py

Credit:

This vulnerability was discovered by Steven Seeley of Source Incite

Acknowledgments:

Source Incite would like to acknowledge Beyond Security’s SSD program for the help with co-ordination of this vulnerability.