ETQ Reliance XML External Entity Injection Vulnerability in SAML Authentication Handler

A vulnerability allowing XML External Entity (XXE) injection has been identified in ETQ Reliance on the CG (legacy) platform. This issue arises within the '/resources/sessions/sso' endpoint, where the SAML authentication handler processes XML input without disabling external entity resolution. As a result, crafted SAML responses can invoke external entity references, potentially enabling attackers to retrieve sensitive files or perform server-side request forgery (SSRF). The vulnerability was addressed by disabling external entity processing for the affected XML parser in versions SE.2025.1 and 2025.1.2.

Impact

Exploitation of this vulnerability allows for XML External Entity injection, which can lead to the retrieval of sensitive information from the server or file system, and in some cases, could be used to perform server-side request forgery (SSRF).

Reproduction

To reproduce this vulnerability, send a POST request to the '/resources/sessions/sso' endpoint with a SAMLResponse parameter that includes a crafted XML payload. The payload should exploit the lack of external entity resolution by including an external entity reference that, when processed, retrieves a file or performs an SSRF attack. This XXE vulnerability can be confirmed by observing the error messages returned, which may include leaked file contents or indications of the external entity reference being processed.

Remediation

Users can update to ETQ Reliance version SE.2025.1 or 2025.1.2, where this vulnerability has been fixed.