Moderate severity vulnerability that affects feedparser
2018-07-24T20:00:41
ID GHSA-HJF3-R7GW-9RWG Type github Reporter GitHub Advisory Database Modified 2019-07-03T21:02:01
Description
Universal Feed Parser (aka feedparser or python-feedparser) before 5.1.2 allows remote attackers to cause a denial of service (memory consumption) via a crafted XML ENTITY declaration in a non-ASCII encoded document.
{"cve": [{"lastseen": "2020-12-09T19:47:20", "description": "Universal Feed Parser (aka feedparser or python-feedparser) before 5.1.2 allows remote attackers to cause a denial of service (memory consumption) via a crafted XML ENTITY declaration in a non-ASCII encoded document.", "edition": 5, "cvss3": {}, "published": "2012-05-21T22:55:00", "title": "CVE-2012-2921", "type": "cve", "cwe": ["CWE-399"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-2921"], "modified": "2013-08-22T03:55:00", "cpe": ["cpe:/a:mark_pilgrim:feedparser:4.1", "cpe:/a:mark_pilgrim:feedparser:4.0.1", "cpe:/a:mark_pilgrim:feedparser:5.1.1", "cpe:/a:mark_pilgrim:feedparser:4.0.2", "cpe:/a:mark_pilgrim:feedparser:3.3", "cpe:/a:mark_pilgrim:feedparser:4.0", "cpe:/a:mark_pilgrim:feedparser:5.0", "cpe:/a:mark_pilgrim:feedparser:5.1", "cpe:/a:mark_pilgrim:feedparser:3.2", "cpe:/a:mark_pilgrim:feedparser:3.1", "cpe:/a:mark_pilgrim:feedparser:5.0.1", "cpe:/a:mark_pilgrim:feedparser:3.0", "cpe:/a:mark_pilgrim:feedparser:3.0.1", "cpe:/a:mark_pilgrim:feedparser:5.1.2"], "id": "CVE-2012-2921", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2921", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:mark_pilgrim:feedparser:5.0:*:*:*:*:*:*:*", "cpe:2.3:a:mark_pilgrim:feedparser:3.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:mark_pilgrim:feedparser:3.2:*:*:*:*:*:*:*", "cpe:2.3:a:mark_pilgrim:feedparser:4.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:mark_pilgrim:feedparser:3.3:*:*:*:*:*:*:*", "cpe:2.3:a:mark_pilgrim:feedparser:4.0:*:*:*:*:*:*:*", "cpe:2.3:a:mark_pilgrim:feedparser:4.1:*:*:*:*:*:*:*", "cpe:2.3:a:mark_pilgrim:feedparser:5.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:mark_pilgrim:feedparser:3.1:*:*:*:*:*:*:*", "cpe:2.3:a:mark_pilgrim:feedparser:4.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:mark_pilgrim:feedparser:5.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:mark_pilgrim:feedparser:3.0:*:*:*:*:*:*:*", "cpe:2.3:a:mark_pilgrim:feedparser:5.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:mark_pilgrim:feedparser:5.1:*:*:*:*:*:*:*"]}], "seebug": [{"lastseen": "2017-11-19T17:51:20", "description": "feedparser\u662f\u4e00\u4e2aPython\u5e93\u7528\u6765\u89e3\u6790\u5404\u79cdfeeds\r\n\r\nfeedparser\u4e0d\u6b63\u786e\u8fc7\u6ee4\u975eASCII\u7f16\u7801\u6587\u6863\u4e2d\u7279\u5236\u7684XML ENTITY\u58f0\u660e\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u6f0f\u6d1e\u6d88\u8017\u5927\u91cf\u5185\u5b58\u9020\u6210\u62d2\u7edd\u670d\u52a1\u653b\u51fb\r\n0\r\nfeedparser\r\n\u5382\u5546\u89e3\u51b3\u65b9\u6848\r\n\u7528\u6237\u53ef\u53c2\u8003\u5982\u4e0b\u4f9b\u5e94\u5546\u63d0\u4f9b\u7684\u5b89\u5168\u516c\u544a\u83b7\u5f97\u8865\u4e01\u4fe1\u606f\uff1a\r\nhttp://freecode.com/projects/feedparser/releases/344371", "published": "2012-05-23T00:00:00", "type": "seebug", "title": "feedparser \u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e(CVE-2012-2921)", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-2921"], "modified": "2012-05-23T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-60152", "id": "SSV:60152", "sourceData": "", "sourceHref": "", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "ubuntu": [{"lastseen": "2020-07-02T11:37:00", "bulletinFamily": "unix", "cvelist": ["CVE-2012-2921"], "description": "It was discovered that feedparser did not properly sanitize ENTITY \ndeclarations in encoded fields. A remote attacker could exploit this to \ncause a denial of service via memory exhaustion.", "edition": 5, "modified": "2012-05-22T00:00:00", "published": "2012-05-22T00:00:00", "id": "USN-1449-1", "href": "https://ubuntu.com/security/notices/USN-1449-1", "title": "feedparser vulnerability", "type": "ubuntu", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "openvas": [{"lastseen": "2017-12-04T11:20:58", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-2921"], "description": "Ubuntu Update for Linux kernel vulnerabilities USN-1449-1", "modified": "2017-12-01T00:00:00", "published": "2012-05-25T00:00:00", "id": "OPENVAS:841014", "href": "http://plugins.openvas.org/nasl.php?oid=841014", "type": "openvas", "title": "Ubuntu Update for feedparser USN-1449-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_1449_1.nasl 7960 2017-12-01 06:58:16Z santu $\n#\n# Ubuntu Update for feedparser USN-1449-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"It was discovered that feedparser did not properly sanitize ENTITY\n declarations in encoded fields. A remote attacker could exploit this to\n cause a denial of service via memory exhaustion.\";\n\ntag_summary = \"Ubuntu Update for Linux kernel vulnerabilities USN-1449-1\";\ntag_affected = \"feedparser on Ubuntu 12.04 LTS\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name: \"URL\" , value: \"http://www.ubuntu.com/usn/usn-1449-1/\");\n script_id(841014);\n script_version(\"$Revision: 7960 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-01 07:58:16 +0100 (Fri, 01 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2012-05-25 10:41:39 +0530 (Fri, 25 May 2012)\");\n script_cve_id(\"CVE-2012-2921\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_xref(name: \"USN\", value: \"1449-1\");\n script_name(\"Ubuntu Update for feedparser USN-1449-1\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\");\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"UBUNTU12.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"python-feedparser\", ver:\"5.1-0ubuntu3.1\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"python3-feedparser\", ver:\"5.1-0ubuntu3.1\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2019-05-29T18:38:31", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-2921"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2012-08-30T00:00:00", "id": "OPENVAS:1361412562310864302", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310864302", "type": "openvas", "title": "Fedora Update for python-feedparser FEDORA-2012-8291", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for python-feedparser FEDORA-2012-8291\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"http://lists.fedoraproject.org/pipermail/package-announce/2012-June/081655.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.864302\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2012-08-30 10:01:57 +0530 (Thu, 30 Aug 2012)\");\n script_cve_id(\"CVE-2012-2921\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_xref(name:\"FEDORA\", value:\"2012-8291\");\n script_name(\"Fedora Update for python-feedparser FEDORA-2012-8291\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'python-feedparser'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC17\");\n script_tag(name:\"affected\", value:\"python-feedparser on Fedora 17\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC17\")\n{\n\n if ((res = isrpmvuln(pkg:\"python-feedparser\", rpm:\"python-feedparser~5.1.2~2.fc17\", rls:\"FC17\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-05-29T18:39:19", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-2921"], "description": "Ubuntu Update for Linux kernel vulnerabilities USN-1449-1", "modified": "2019-03-13T00:00:00", "published": "2012-05-25T00:00:00", "id": "OPENVAS:1361412562310841014", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310841014", "type": "openvas", "title": "Ubuntu Update for feedparser USN-1449-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_1449_1.nasl 14132 2019-03-13 09:25:59Z cfischer $\n#\n# Ubuntu Update for feedparser USN-1449-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-1449-1/\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.841014\");\n script_version(\"$Revision: 14132 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 10:25:59 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2012-05-25 10:41:39 +0530 (Fri, 25 May 2012)\");\n script_cve_id(\"CVE-2012-2921\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_xref(name:\"USN\", value:\"1449-1\");\n script_name(\"Ubuntu Update for feedparser USN-1449-1\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU12\\.04 LTS\");\n script_tag(name:\"summary\", value:\"Ubuntu Update for Linux kernel vulnerabilities USN-1449-1\");\n script_tag(name:\"affected\", value:\"feedparser on Ubuntu 12.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_tag(name:\"insight\", value:\"It was discovered that feedparser did not properly sanitize ENTITY\n declarations in encoded fields. A remote attacker could exploit this to\n cause a denial of service via memory exhaustion.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU12.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"python-feedparser\", ver:\"5.1-0ubuntu3.1\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"python3-feedparser\", ver:\"5.1-0ubuntu3.1\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2018-01-11T11:07:10", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-2921"], "description": "Check for the Version of python-feedparser", "modified": "2018-01-10T00:00:00", "published": "2012-08-30T00:00:00", "id": "OPENVAS:864302", "href": "http://plugins.openvas.org/nasl.php?oid=864302", "type": "openvas", "title": "Fedora Update for python-feedparser FEDORA-2012-8291", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for python-feedparser FEDORA-2012-8291\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_affected = \"python-feedparser on Fedora 17\";\ntag_insight = \"Universal Feed Parser is a Python module for downloading and parsing\n syndicated feeds. It can handle RSS 0.90, Netscape RSS 0.91,\n Userland RSS 0.91, RSS 0.92, RSS 0.93, RSS 0.94, RSS 1.0, RSS 2.0,\n Atom 0.3, Atom 1.0, and CDF feeds. It also parses several popular extension\n modules, including Dublin Core and Apple's iTunes extensions.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.fedoraproject.org/pipermail/package-announce/2012-June/081655.html\");\n script_id(864302);\n script_version(\"$Revision: 8352 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-10 08:01:57 +0100 (Wed, 10 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2012-08-30 10:01:57 +0530 (Thu, 30 Aug 2012)\");\n script_cve_id(\"CVE-2012-2921\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_xref(name: \"FEDORA\", value: \"2012-8291\");\n script_name(\"Fedora Update for python-feedparser FEDORA-2012-8291\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of python-feedparser\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC17\")\n{\n\n if ((res = isrpmvuln(pkg:\"python-feedparser\", rpm:\"python-feedparser~5.1.2~2.fc17\", rls:\"FC17\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "nessus": [{"lastseen": "2021-01-01T06:37:54", "description": "It was discovered that feedparser did not properly sanitize ENTITY\ndeclarations in encoded fields. A remote attacker could exploit this\nto cause a denial of service via memory exhaustion.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 24, "published": "2012-05-23T00:00:00", "title": "Ubuntu 12.04 LTS : feedparser vulnerability (USN-1449-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-2921"], "modified": "2021-01-02T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:python-feedparser", "p-cpe:/a:canonical:ubuntu_linux:python3-feedparser", "cpe:/o:canonical:ubuntu_linux:12.04:-:lts"], "id": "UBUNTU_USN-1449-1.NASL", "href": "https://www.tenable.com/plugins/nessus/59238", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-1449-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(59238);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2019/09/19 12:54:28\");\n\n script_cve_id(\"CVE-2012-2921\");\n script_xref(name:\"USN\", value:\"1449-1\");\n\n script_name(english:\"Ubuntu 12.04 LTS : feedparser vulnerability (USN-1449-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that feedparser did not properly sanitize ENTITY\ndeclarations in encoded fields. A remote attacker could exploit this\nto cause a denial of service via memory exhaustion.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/1449-1/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Update the affected python-feedparser and / or python3-feedparser\npackages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:python-feedparser\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:python3-feedparser\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:12.04:-:lts\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/05/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/05/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/05/23\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2012-2019 Canonical, Inc. / NASL script (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(12\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 12.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"12.04\", pkgname:\"python-feedparser\", pkgver:\"5.1-0ubuntu3.1\")) flag++;\nif (ubuntu_check(osver:\"12.04\", pkgname:\"python3-feedparser\", pkgver:\"5.1-0ubuntu3.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python-feedparser / python3-feedparser\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-12T10:10:40", "description": "Update from 5.1 to 5.1.2.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 13, "published": "2012-06-04T00:00:00", "title": "Fedora 17 : python-feedparser-5.1.2-2.fc17 (2012-8291)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-2921"], "modified": "2012-06-04T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:17", "p-cpe:/a:fedoraproject:fedora:python-feedparser"], "id": "FEDORA_2012-8291.NASL", "href": "https://www.tenable.com/plugins/nessus/59337", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2012-8291.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(59337);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2012-2921\");\n script_bugtraq_id(53654);\n script_xref(name:\"FEDORA\", value:\"2012-8291\");\n\n script_name(english:\"Fedora 17 : python-feedparser-5.1.2-2.fc17 (2012-8291)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Update from 5.1 to 5.1.2.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=824600\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2012-June/081655.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?c0d6561d\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected python-feedparser package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:python-feedparser\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:17\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/05/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/06/04\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^17([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 17.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC17\", reference:\"python-feedparser-5.1.2-2.fc17\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python-feedparser\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-07T11:54:08", "description": "Updated python-feedparser package fixes security vulnerability :\n\nUniversal Feed Parser (aka feedparser or python-feedparser) before\n5.1.2 allows remote attackers to cause a denial of service (memory\nconsumption) via a crafted XML ENTITY declaration in a non-ASCII\nencoded document (CVE-2012-2921).", "edition": 24, "published": "2013-04-20T00:00:00", "title": "Mandriva Linux Security Advisory : python-feedparser (MDVSA-2013:118)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-2921"], "modified": "2013-04-20T00:00:00", "cpe": ["p-cpe:/a:mandriva:linux:python-feedparser", "cpe:/o:mandriva:business_server:1"], "id": "MANDRIVA_MDVSA-2013-118.NASL", "href": "https://www.tenable.com/plugins/nessus/66130", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandriva Linux Security Advisory MDVSA-2013:118. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(66130);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2012-2921\");\n script_bugtraq_id(53654);\n script_xref(name:\"MDVSA\", value:\"2013:118\");\n script_xref(name:\"MGASA\", value:\"2012-0157\");\n\n script_name(english:\"Mandriva Linux Security Advisory : python-feedparser (MDVSA-2013:118)\");\n script_summary(english:\"Checks rpm output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Mandriva Linux host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated python-feedparser package fixes security vulnerability :\n\nUniversal Feed Parser (aka feedparser or python-feedparser) before\n5.1.2 allows remote attackers to cause a denial of service (memory\nconsumption) via a crafted XML ENTITY declaration in a non-ASCII\nencoded document (CVE-2012-2921).\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected python-feedparser package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:python-feedparser\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandriva:business_server:1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/04/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/04/20\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK-MBS1\", reference:\"python-feedparser-5.1.2-1.mbs1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "fedora": [{"lastseen": "2020-12-21T08:17:51", "bulletinFamily": "unix", "cvelist": ["CVE-2012-2921"], "description": "Universal Feed Parser is a Python module for downloading and parsing syndicated feeds. It can handle RSS 0.90, Netscape RSS 0.91, Userland RSS 0.91, RSS 0.92, RSS 0.93, RSS 0.94, RSS 1.0, RSS 2.0, Atom 0.3, Atom 1.0, and CDF feeds. It also parses several popular extension modules, including Dublin Core and Apple's iTunes extensions. ", "modified": "2012-06-01T17:15:11", "published": "2012-06-01T17:15:11", "id": "FEDORA:DBD0221958", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 17 Update: python-feedparser-5.1.2-2.fc17", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}]}
