CVE-2020-11xxx
This challenge covers the review of a CVE and its patch
The Code Review Patch challenges offer a hands-on approach to understanding code vulnerabilities by presenting both the original, vulnerable code and the patch that fixes it. Initially, you are encouraged to find the security flaw without any hints from the patch. This method enhances your ability to analyze and scrutinize code for potential issues independently. If you struggle to identify the flaw or wish to confirm your suspicions, the patch (diff file) is available to guide you.
The exercise revolves around a specific piece of Java code from the Apache Cocoon project, which processes XML data from web requests. The vulnerable version of the code lacks appropriate security measures, making it susceptible to XML External Entity (XXE) attacks. The patch introduces critical fixes, including the use of secure SAXParser configurations to prevent such vulnerabilities. By comparing the original and patched versions, you gain a deeper understanding of secure coding practices and the importance of implementing proper security features in web applications.