# CVE-2023-45612
- https://nvd.nist.gov/vuln/detail/CVE-2023-45612
### Description of CVE
In JetBrains Ktor before 2.3.5 default configuration of ContentNegotiation with XML format was vulnerable to XXE.
The vulnerability was patched by @marychatte on Sep 29, 2023 (https://github.com/ktorio/ktor/pull/3770), the vulnerability was caused by a supply chain attack based on a misconfiguration in the external library `xmlutil version 0.86.1`.
<img width="1671" height="1150" alt="vulnerability_xmlutil_diff" src="https://github.com/user-attachments/assets/3608f7bc-d5d8-4039-aac6-2bae7f39c6a4" />
Based on the OWASP guide (https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#xmlinputfactory-a-stax-parser) , the fix is not comprehensive enough, I found a interesting answear here (https://security.stackexchange.com/questions/260956/java-xxe-vulnerability) : `The main objective is to disable DTDs, it basically consists of the primary defense against this attack.`
<img width="1226" height="788" alt="OWASP_Cheatsheet_XXE" src="https://github.com/user-attachments/assets/cb3beb0b-343a-4e76-b732-e8d00a397c1f" />
### What is OWASP?
- **OWASP** (*Open Worldwide Application Security Project*) is a global, nonprofit community focused on improving software security. It provides free, vendor-neutral resources such as documentation, tools, and training to help developers, security researchers, and organizations build secure applications. One of its most known projects is the **OWASP Top 10**, which highlights the most critical web application security risks.
## Proof of Concept
<img width="1449" height="967" alt="Proof_of_Concept-script" src="https://github.com/user-attachments/assets/05f46ae9-7d00-4aed-a461-b219aea55e32" />
### Prevention Guidelines
- Upgrade: Ktor ≥ 2.3.5 and xmlutil to patched versions
- Harden XML parsing:
- Disable DOCTYPE declarations
- Disable external general/parameter entities
- Disable external DTD loading
- Enable FEATURE_SECURE_PROCESSING
- Disable XInclude
- Prefer JSON over XML unless strictly required
- Principle of least privilege: Run services without filesystem/network access for parsing
- Input validation: Reject payloads with DOCTYPE declarations at application layer
## References:
- https://security.stackexchange.com/questions/260956/java-xxe-vulnerability
- https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
- https://docs.datadoghq.com/security/code_security/static_analysis/static_analysis_rules/java-security/xml-parsing-xee/
- https://github.com/jwenjian/ghiblog/issues/37
- https://www.jetbrains.com/privacy-security/issues-fixed/?product=Ktor
- https://patorjk.com/software/taag/#p=display&f=Big&t=CVE-2023-45612%0A&x=none&v=4&h=4&w=80&we=false
- https://github.com/ktorio/ktor/blob/05f8f73b8e20962fe55c003eb0757113e3495272/ktor-shared/ktor-serialization/ktor-serialization-kotlinx/ktor-serialization-kotlinx-xml/jvm/test/XmlServerKotlinxSerializationTest.kt
[4.0K] /data/pocs/e4ab6dce8dd1fe3368537d6336f85004490df583
├── [ 802] build.gradle.kts
├── [5.6K] CVE-2023-45612.py
├── [4.0K] gradle
│ ├── [1.3K] libs.versions.toml
│ └── [4.0K] wrapper
│ ├── [ 43K] gradle-wrapper.jar
│ └── [ 253] gradle-wrapper.properties
├── [ 27] gradle.properties
├── [8.5K] gradlew
├── [2.9K] gradlew.bat
├── [3.0K] README.md
├── [ 120] settings.gradle.kts
└── [4.0K] src
└── [4.0K] main
├── [4.0K] kotlin
│ ├── [ 201] Application.kt
│ └── [2.5K] Routing.kt
└── [4.0K] resources
├── [ 122] application.yaml
└── [ 425] logback.xml
6 directories, 14 files