Bio-Formats XML External Entity Vulnerability in Leica Metadata Parser

A XML External Entity (XXE) vulnerability has been identified in Bio-Formats versions through 8.3.0, specifically within the Leica Microsystems metadata parsing component. This vulnerability arises from the use of an improperly configured DocumentBuilderFactory, which allows for external entity expansion and the loading of external DTDs when processing Leica XML metadata files. An attacker can exploit this by crafting a malicious metadata file that, when parsed, could trigger outbound network requests (Server-Side Request Forgery), access local system resources where files are readable, or cause a denial-of-service condition by destabilizing the XML parser.

Impact

Exploitation of this vulnerability allows for XML External Entity injection, Server-Side Request Forgery (SSRF) via outbound HTTP requests, access to local files containing XML-safe content, and denial-of-service conditions through entity expansion or parser instability. Additionally, data exfiltration is possible via blind out-of-band channels.

Reproduction

To reproduce this vulnerability, create a crafted XLEF file that includes an external entity reference pointing to an attacker-controlled server. When this file is processed by the Bio-Formats Leica XML parser, the external entity will be resolved, potentially leading to unauthorized network requests or access to local files. This can be done using the Bio-Formats 'ImageInfo' tool to demonstrate the exploitation.