CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H
EPSS
Percentile
45.3%
Possible remote Denial of Service or Data Injection.
Patches are available in https://github.com/horazont/aioxmpp/pull/268. They have been backported to the 0.10 release series and 0.10.3 is the first release to contain the fix.
To make the bug exploitable, an error suppressing xso_error_handler
is required. By not using xso_error_handlers
or not using the suppression function, the vulnerability can be mitigated completely (to our knowledge).
The pull request contains a detailed description: https://github.com/horazont/aioxmpp/pull/268
If you have any questions or comments about this advisory:
Vendor | Product | Version | CPE |
---|---|---|---|
aioxmpp_project | aioxmpp | * | cpe:2.3:a:aioxmpp_project:aioxmpp:*:*:*:*:*:*:*:* |
github.com/advisories/GHSA-6m9g-jr8c-cqw3
github.com/horazont/aioxmpp/commit/29ff0838a40f58efe30a4bbcea95aa8dab7da475
github.com/horazont/aioxmpp/commit/f151f920f439d97d4103fc11057ed6dc34fe98be
github.com/horazont/aioxmpp/pull/268
github.com/horazont/aioxmpp/security/advisories/GHSA-6m9g-jr8c-cqw3
github.com/pypa/advisory-database/tree/main/vulns/aioxmpp/PYSEC-2019-1.yaml
nvd.nist.gov/vuln/detail/CVE-2019-1000007
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H
EPSS
Percentile
45.3%