What is CVE-2020-11991?

CVE-2020-11991 is a vulnerability in Apache Cocoon. Published 2020-09-11.

Is CVE-2020-11991 known to be exploited?

24 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Apache Cocoon

CVE-2020-11991

When using the StreamGenerator, the code parse a user-provided XML. A specially crafted XML, including external system entities, could be used to access any file on the server system.

EPSS: 0.931 (99.8th percentile) — read the EPSS interpretation.

Affected products

N/a Apache Cocoon — versions Apache Cocoon 2.1.0 to 2.1.12

Public proof-of-concept exploits

0day404/vulnerability-poc
20142995/Goby
20142995/nuclei-templates
404notf0und/CVE-Flow
ARPSyndicate/cvemon
ARPSyndicate/kenzer-templates
ArrestX/--POC
Elsfa7-110/kenzer-templates
H4ckTh3W0r1d/Goby_
HimmelAward/Goby_

References

lists.apache.org/thread.html/r77add973ea521185e1a90aca00ba9dae7caa8d8b944d92421… (x_refsource_MISC)

Frequently asked questions

What is CVE-2020-11991?: CVE-2020-11991 is a vulnerability in Apache Cocoon. Published 2020-09-11.
Is CVE-2020-11991 known to be exploited?: 24 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.