Lucene search

GitHub Advisory DatabaseGHSA-M8GQ-83GH-V42V

HistoryMar 16, 2022 - 12:00 a.m.

XML External Entities Vulnerability in CVRF-CSAF-Converter

2022-03-1600:00:49

CWE-552

CWE-611

GitHub Advisory Database

github.com

cvrf-csaf-converter

xml external entities

xxe

arbitrary file inclusion

information disclosure

software vulnerability

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

CVSS3

6.1

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L

EPSS

0.001

Percentile

25.9%

JSON

CVRF-CSAF-Converter before 1.0.0-rc2 resolves XML External Entities (XXE). This leads to the inclusion of arbitrary (local) file content into the generated output document. An attacker can exploit this to disclose information from the system running the converter.

Affected configurations

Vulners

Node

cvrf2csafRange≤1.0.0rc1

VendorProductVersionCPE
*cvrf2csaf*cpe:2.3:a:*:cvrf2csaf:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
*	cvrf2csaf	*	cpe:2.3:a::cvrf2csaf::::::::*

References

github.com/advisories/GHSA-m8gq-83gh-v42v

github.com/csaf-tools/CVRF-CSAF-Converter/releases/tag/1.0.0-rc2

nvd.nist.gov/vuln/detail/CVE-2022-27193

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

CVSS3

6.1

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L

EPSS

0.001

Percentile

25.9%

JSON

Related for GHSA-M8GQ-83GH-V42V