A vulnerability, which was classified as critical, was found in OpenFire User Import Export Plugin 2.6.0. This affects some unknown functionality of the component XML Data Handler. The manipulation with an unknown input leads to a xml external entity reference vulnerability. CWE is classifying the issue as CWE-611. The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. This is going to have an impact on confidentiality, integrity, and availability. The summary by CVE is:

An exploitable XML entity injection vulnerability exists in OpenFire User Import Export Plugin 2.6.0. A specially crafted web request can cause the retrieval of arbitrary files or denial of service. An authenticated attacker can send a crafted web request to trigger this vulnerability.

The bug was discovered 07/19/2017. The weakness was disclosed 05/15/2018 (Website). The advisory is shared at talosintelligence.com. This vulnerability is uniquely identified as CVE-2017-2815 since 12/01/2016. The exploitability is told to be easy. It is possible to initiate the attack remotely. A authentication is required for exploitation. Neither technical details nor an exploit are publicly available.

The vulnerability was handled as a non-public zero-day exploit for at least 300 days. During that time the estimated underground price was around $0-$5k.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

Productinfo

Name

• OpenFire User Import Export Plugin

Version

• 2.6.0

CPE 2.3info

• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion