Vulnerability Details Affected Vendor: Journyx Affected Product: Journyx (jtime) Affected Version: 11.5.4 Platform: GNU/Linux CWE Classification: CWE-611: Improper Restriction of XML External Entity Reference CVE ID: CVE-2024-6893 Vulnerability Description The "soap_cgi.pyc" API handler allows the XML body of SOAP requests to contain references to external entities. This allows an unauthenticated attacker to read local files, perform server-side request forgery, and overwhelm the web server resources. Technical Description From an unauthenticated perspective, a user can send an HTTP request to the "/jtcgi/soap_cgi.pyc" endpoint. The body of the HTTP request is read and processed by the Journyx web server as XML. To process these SOAP requests, the third-party component "SOAPpy" is used. The built-in XML parser for "SOAPpy" is "xml.sax". According to the "xml.sax" documentation (https://docs.python.org/3/library/xml.sax.html), versions before 3.7.1 enable XML external entities by default. Since Journyx version 11.5.4 ships with python 3.6, the SOAP API endpoint is vulnerable. Mitigation and Remediation Recommendation The vendor reports that this issue was remediated in Journyx v13.0.0, which is the first wholly cloud-hosted version of this product. For self-hosted versions of Journyx, external entity processing can be disabled by editing the old bundled version of SOAPpy by modifying the "Parser.py" file: — Parser.py.orig …Read More