How do I know whether my application is vulnerable to CVE-2020-13692?

198 views Asked by At

The NVD reports PostgreSQL JDBC Driver as having an XXE vulnerability with High severity (7.7), see https://nvd.nist.gov/vuln/detail/CVE-2020-13692. This type of vulnerability has to do with parsing external entities in XML.

I cannot find information on how one can actually use a compromised XML file to exploit this vulnerability in the PostgreSQL JDBC Driver though. Is it when the application tries to store an XML file in the database? Are there XML config files that are parsed that when compromised cause an issue? Other uses? How do I know whether the vulnerable part is actually used in my application and whether it's vulnerable?

1

There are 1 answers

0
Marek Puchalski On

Checking exploitability based on CVE documentation alone can be a really time consuming trouble. Every time I did stuff like this I ended up reading source code before and after the fix to understand what was wrong (or gave up before as it seemed to troublesome). Sometimes you can search for exploit code on sites like https://www.exploit-db.com/ or in metasploit, but usually you will not be successful.

My advice - upgrade. Use the time to perform tests on the application to make sure after the upgrade all is working fine.