PT-2020-19268 · Sos · Sos Jobscheduler
Oliver Haufe
·
Published
2020-02-06
·
Updated
2020-02-07
·
CVE-2020-6856
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
SOS JobScheduler versions 1.12 through 1.13.2
Description
A vulnerability exists in the JOC Cockpit component, allowing attackers to read files from the server via an entity declaration in XML documents used for job and order run-time settings.
Recommendations
For SOS JobScheduler versions 1.12 through 1.13.2, consider disabling the XML External Entity (XEE) processing in the JOC Cockpit component until a patch is available. Restrict access to sensitive files on the server to minimize the risk of exploitation.
Fix
XML Entity Expansion
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Sos Jobscheduler