Platform
kotlin
Component
http4k
Opgelost in
5.41.1
CVE-2024-55875 describes an XXE (XML External Entity Injection) vulnerability affecting http4k, a Kotlin HTTP toolkit. This vulnerability allows attackers to exploit improper handling of malicious XML content within requests, potentially leading to sensitive data exposure and code execution. Versions of http4k prior to 5.41.0.0 are vulnerable, and a patch has been released.
The XXE vulnerability in http4k poses a significant risk. An attacker can leverage this flaw to read arbitrary files from the server's file system, potentially exposing sensitive configuration data, API keys, or source code. Furthermore, the vulnerability enables Server-Side Request Forgery (SSRF), allowing the attacker to make requests to internal or external resources on behalf of the server. In certain scenarios, successful exploitation could even lead to remote code execution, granting the attacker complete control over the affected system. The high CVSS score of 9.8 reflects the severity of this potential impact.
CVE-2024-55875 was publicly disclosed on December 12, 2024. While no active exploitation campaigns have been publicly reported, the vulnerability's severity and the availability of a public proof-of-concept increase the likelihood of exploitation. The vulnerability is not currently listed on the CISA KEV catalog. Given the ease of exploitation and the potential impact, organizations should prioritize patching.
Applications built using http4k versions prior to 5.41.0.0, particularly those handling user-supplied XML data, are at significant risk. Services relying on http4k for XML parsing and processing, especially those deployed in production environments, should be prioritized for patching. Shared hosting environments where multiple applications share the same server instance are also at increased risk.
• kotlin / server: Examine application logs for XML parsing errors or unusual network requests originating from within the application. Use a debugger to trace the XML parsing process and identify potential external entity resolution attempts.
• generic web: Use curl to send crafted XML payloads containing external entity references to endpoints handled by http4k and monitor the response for sensitive data or SSRF activity.
curl -X POST -d '<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> <foo>&xxe;</foo>' https://your-http4k-application/endpointdisclosure
Exploit Status
EPSS
5.46% (90% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2024-55875 is to upgrade to version 5.41.0.0 or later of http4k. If upgrading is not immediately feasible, consider implementing input validation and sanitization to filter out potentially malicious XML content. Web application firewalls (WAFs) configured to detect and block XXE attacks can provide an additional layer of defense. Review and restrict access to sensitive files on the server to limit the potential damage from a successful exploit. After upgrading, confirm the fix by sending a crafted XML request containing external entity references and verifying that the server does not disclose any sensitive information or make unauthorized requests.
Actualice la biblioteca http4k a la versión 5.41.0.0 o superior. Esta versión contiene una corrección para la vulnerabilidad XXE. Asegúrese de validar y sanitizar cualquier entrada XML antes de procesarla para evitar posibles ataques.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2024-55875 is a critical XXE Injection vulnerability in http4k versions 5.40.0.0 and earlier, allowing attackers to read local files, perform SSRF, and potentially execute code.
You are affected if you are using http4k version 5.40.0.0 or earlier. Upgrade to version 5.41.0.0 to mitigate the risk.
Upgrade to version 5.41.0.0 of http4k. As a temporary workaround, implement input validation and sanitization to filter malicious XML content.
While no active exploitation campaigns have been publicly reported, the vulnerability's severity and ease of exploitation suggest a potential for future attacks.
Refer to the official http4k project website and GitHub repository for updates and security advisories related to CVE-2024-55875.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.