CVE-2023-49110

Name of the Vulnerable Software and Affected Versions Kiuwan SAST version master.1808.p685.q13371

Description The issue arises when the Kiuwan Local Analyzer uploads scan results to the Kiuwan SAST web application, which processes XML files containing external entities. This leads to an XML external entity injection attack. An attacker with privileges to scan source code can extract files from the operating system with the application server user's rights, potentially gaining access to sensitive files like configuration and passwords. The attacker can also initiate connections to internal systems for port scans or access other internal functions and applications.

Recommendations For version master.1808.p685.q13371, consider disabling the XML entity resolution feature in the Kiuwan SAST web application until a patch is available. Restrict access to the "Code Security" module to minimize the risk of exploitation. Avoid using the Kiuwan Local Analyzer to upload scan results to the Kiuwan SAST web application until the issue is resolved.