Impact
When BuildSpec is provided in XML format, the spec is processed by XmlBuildSpecMigrator.migrate(buildSpecString); which processes the XML document without preventing
the expansion of external entities. These entities can be configured to read arbitrary files from the file system and dump their contents in the final XML document to be migrated. If the files are dumped in properties included in the YAML file, it will be possible for an attacker to read them. Eg:
<?xml version="1.0"?>
<!DOCTYPE data [
<!ENTITY file SYSTEM "file:///etc/passwd">
]>
<data>&file;</data>
If not, it is possible for an attacker to exfiltrate the contents of these files Out Of Band.
This issue may lead to arbitrary file read
Patches
This issue was addressed in 4.0.3 by ignoring ENTITY instructions in xml file
Credits
This issue was discovered by @pwntester
Impact
When BuildSpec is provided in XML format, the spec is processed by
XmlBuildSpecMigrator.migrate(buildSpecString);which processes the XML document without preventingthe expansion of external entities. These entities can be configured to read arbitrary files from the file system and dump their contents in the final XML document to be migrated. If the files are dumped in properties included in the YAML file, it will be possible for an attacker to read them. Eg:
If not, it is possible for an attacker to exfiltrate the contents of these files Out Of Band.
This issue may lead to
arbitrary file readPatches
This issue was addressed in 4.0.3 by ignoring ENTITY instructions in xml file
Credits
This issue was discovered by @pwntester