CVE-2023-49110

When the Kiuwan Local Analyzer uploads the scan results to the Kiuwan SAST web <br /> application (either on-premises or cloud/SaaS solution), the transmitted data <br /> consists of a ZIP archive containing several files, some of them in the <br /> XML file format. During Kiuwan&amp;#39;s server-side processing of these XML <br /> files, it resolves external XML entities, resulting in a XML external <br /> entity injection attack. An attacker with privileges to scan <br /> source code within the "Code Security" module is able to extract any <br /> files of the operating system with the rights of the application server <br /> user and is potentially able to gain sensitive files, such as <br /> configuration and passwords. Furthermore, this vulnerability also allows<br /> an attacker to initiate connections to internal systems, e.g. for port <br /> scans or accessing other internal functions / applications such as the <br /> Wildfly admin console of Kiuwan.<br /> <br /> This issue affects Kiuwan SAST: