05-11-2021 03:07 PM - edited 05-11-2021 05:08 PM
A vulnerability in Infoblox NIOS may allow for an XML Bomb attack. The configuration for SAML authentication service for the application can be imported by a privileged user from an XML file without validation, potentially resulting in a Denial of Service (DOS).
The Infoblox NIOS application allows users to import authentication service configurations by parsing an XML file, without prior validation of the file’s content. This may be exploited by a malicious user by uploading an XML file with calls to recursive entities. The server will be delayed while parsing the content of the XML file, resulting in a DOS.
CVSSv3 Score: 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H)
Affected NIOS Versions:
Affects NIOS versions which support SAML authentication. Specifically:
NIOS 8.4.0 through NIOS 8.4.8
NIOS 8.5.0, NIOS 8.5.1
Infoblox addresses the CVE: CVE-2020-15303 vulnerability in NIOS 8.5.2.
To eliminate the possibility of exploiting the above vulnerability, Infoblox strongly recommends upgrading to NIOS 8.5.2 or above.