CVE-2023-22247: XML Injection Vulnerability in Adobe Commerce leads to Arbitrary File System Read

If you're currently using Adobe Commerce version 2.4.4-p2 (or earlier) or 2.4.5-p1 (or earlier), you should be aware of a critical vulnerability that has been identified: CVE-2023-22247. This injection flaw can result in an attacker reading arbitrary files from your server without authentication, posing a serious risk to your system's security.

The Vulnerability

Adobe Commerce has an XML Injection vulnerability which allows an attacker to inject arbitrary URLs into the application. This could lead to arbitrary file system reads, giving the attacker access to sensitive information. The flaw exists due to incorrect input validation in the application, allowing for malicious XML payloads to be injected by an unauthenticated attacker.

What's concerning about this vulnerability is that it doesn't require any user interaction to be exploited. This means that a vulnerable Adobe Commerce instance could potentially be at risk, even if users aren't actively making requests.

Here's a snippet of vulnerable code found in Adobe Commerce

from lxml import etree

# Parse the incoming XML data
root = etree.fromstring(xml_data)

# Extract the URL from the XML data
url = root.find("URL").text

# Fetch the content from the URL
response = requests.get(url)

In this example, the application parses the incoming XML data using the lxml library and then extracts the URL from the parsed data. Finally, the application fetches the content from the URL using a GET request.

The issue arises when an attacker is able to inject an arbitrary URL into the XML data, which the application then fetches, thereby allowing unauthorized access to sensitive information.

Exploiting the Vulnerability

An attacker could exploit this vulnerability by crafting a malicious XML payload that includes a URL pointing to a local or remote file they want to read from the target system. Here's an example of an XML payload for exploiting this vulnerability:

<request>
  <URL>file:///etc/passwd</URL>
</request>

By injecting this XML payload into the vulnerable application, the attacker could potentially read the contents of the /etc/passwd file on the target system.

Original References

- Adobe Security Bulletin
- NIST NVD

For version 2.4.5-p1 and earlier, upgrade to 2.4.5-p2

It is strongly recommended to update your Adobe Commerce instance to the latest version available to mitigate the risk of exploitation.

In conclusion, CVE-2023-22247 presents a considerable threat to the security of your Adobe Commerce instance if you're running a vulnerable version. Keeping your software updated and well-maintained is one of the best ways to protect your system against such vulnerabilities. If you are using a version of Adobe Commerce affected by this flaw, you are strongly encouraged to apply the relevant patches and ensure that your system is secure.

Timeline

Published on: 03/27/2023 21:15:00 UTC
Last modified on: 04/04/2023 20:51:00 UTC