CVE-2022-0839 Overview
CVE-2022-0839 is a critical XML External Entity (XXE) injection vulnerability affecting Liquibase, a popular open-source database schema change management tool. The vulnerability exists in versions prior to 4.8.0 and allows attackers to exploit improper restriction of XML external entity references when processing XML input. This flaw enables remote attackers to potentially read sensitive files from the server, perform server-side request forgery (SSRF) attacks, or cause denial of service conditions without requiring authentication.
Critical Impact
Unauthenticated remote attackers can exploit this XXE vulnerability to exfiltrate sensitive data, access internal network resources, or disrupt database migration operations through maliciously crafted XML payloads.
Affected Products
- Liquibase versions prior to 4.8.0
- Oracle SQLcl 19c
- Applications and CI/CD pipelines utilizing vulnerable Liquibase libraries
Discovery Timeline
- 2022-03-04 - CVE-2022-0839 published to NVD
- 2025-11-03 - Last updated in NVD database
Technical Details for CVE-2022-0839
Vulnerability Analysis
This vulnerability stems from CWE-611 (Improper Restriction of XML External Entity Reference), a well-known weakness in XML parsing implementations. Liquibase processes XML changelog files as part of its core database migration functionality. The XML parser in affected versions fails to properly disable external entity resolution, allowing attackers to inject malicious DOCTYPE declarations that reference external resources.
When Liquibase processes a crafted XML changelog containing external entity references, the parser will attempt to resolve these entities. This can lead to disclosure of sensitive files such as /etc/passwd, configuration files containing database credentials, or private keys stored on the server. The vulnerability is particularly dangerous in automated deployment pipelines where Liquibase changelogs may be sourced from untrusted repositories.
Root Cause
The root cause of this vulnerability lies in the XML parser configuration within Liquibase. The parser does not implement secure defaults for processing external entities, failing to disable features such as XMLConstants.FEATURE_SECURE_PROCESSING, external DTD loading, and external entity expansion. This oversight allows the XML parser to follow external entity declarations to arbitrary URIs, including local file paths and remote HTTP endpoints.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by supplying a malicious XML changelog file to Liquibase during database migration operations. This can occur through several scenarios:
- Injecting malicious changelogs into source code repositories
- Man-in-the-middle attacks on changelog retrieval
- Exploiting applications that allow user-controlled Liquibase changelog input
- Compromising CI/CD pipelines that execute Liquibase migrations
A typical XXE payload would include a DOCTYPE declaration with ENTITY definitions pointing to sensitive local files or external URLs. When the XML parser processes the document and resolves the entity reference, the contents of the targeted resource are included in the parsed output or sent to an attacker-controlled server.
Detection Methods for CVE-2022-0839
Indicators of Compromise
- Unusual file access patterns in application logs, particularly attempts to read sensitive system files such as /etc/passwd, /etc/shadow, or application configuration files
- Outbound HTTP/HTTPS requests to unknown external domains originating from Liquibase processes
- XML parsing errors in Liquibase logs referencing external DTD or entity resolution failures
- Unexpected network connections from database migration processes to internal network resources
Detection Strategies
- Monitor Liquibase execution logs for XML parsing exceptions related to external entity processing
- Implement network-level monitoring to detect outbound connections from systems running Liquibase to untrusted destinations
- Deploy file integrity monitoring on changelog directories to detect injection of malicious XML files
- Use static analysis tools to scan XML changelogs for potentially malicious DOCTYPE and ENTITY declarations
Monitoring Recommendations
- Configure alerting for Liquibase processes attempting to access files outside expected directories
- Establish baseline network behavior for database migration processes and alert on anomalies
- Implement centralized log aggregation for all Liquibase execution events across environments
- Monitor dependency management systems for use of vulnerable Liquibase versions
How to Mitigate CVE-2022-0839
Immediate Actions Required
- Upgrade Liquibase to version 4.8.0 or later immediately across all environments
- Audit all systems and applications for vulnerable Liquibase versions, including transitive dependencies
- Review changelog files for any suspicious XML content or unauthorized modifications
- Implement network egress filtering to restrict outbound connections from systems running Liquibase
Patch Information
The vulnerability was addressed in Liquibase version 4.8.0. The fix involves properly configuring the XML parser to disable external entity resolution. The security patch can be reviewed in the GitHub commit. Organizations using Oracle SQLcl should refer to the Oracle Security Alert July 2022 for patching guidance. Additional details about the vulnerability discovery are available in the Huntr bounty report.
Workarounds
- If immediate upgrade is not possible, implement strict input validation on all XML changelog sources
- Configure application-level XML parser security features to disable DTD processing and external entity resolution
- Restrict filesystem and network access for processes executing Liquibase migrations using sandboxing or containerization
- Implement code review processes to audit all changelog files before deployment to production environments
# Verify Liquibase version and check for vulnerable installations
liquibase --version
# Update Liquibase to patched version using Maven
mvn versions:use-latest-versions -Dincludes=org.liquibase:liquibase-core
# Gradle dependency update
./gradlew dependencyUpdates --refresh-dependencies
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
