Lucene search

K

Veracode Vulnerability DatabaseVERACODE:44995

HistoryJan 10, 2024 - 6:41 a.m.

XML External Entity Injection

2024-01-1006:41:07

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

7

xml external entity

fonttools

ot-svg font

information disclosure

vulnerability

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

6.3

Confidence

Low

EPSS

0.001

Percentile

31.2%

fonttools is vulnerable to XML External Entity Injection. The vulnerability is due to a misconfigured xml parser which allows external entities to be included in OT-SVG font. This issue can be exploited by an attacker by building a OT-SVG font which includes xml external entities, resulting in information disclosure.

References

www.openwall.com/lists/oss-security/2024/03/08/2

www.openwall.com/lists/oss-security/2024/03/09/1

github.com/advisories/GHSA-6673-4983-2vx5

github.com/fonttools/fonttools/commit/9f61271dc1ca82ed91f529b130fe5dc5c9bf1f4c

github.com/fonttools/fonttools/releases/tag/4.43.0

github.com/fonttools/fonttools/security/advisories/GHSA-6673-4983-2vx5

lists.fedoraproject.org/archives/list/[email protected]/message/VY63B4SGY4QOQGUXMECRGD6K3YT3GJ75/

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

6.3

Confidence

Low

EPSS

0.001

Percentile

31.2%

Related for VERACODE:44995

osv2 nvd1 ubuntucve1 nessus1 debiancve1 mageia1 redhatcve1 cvelist1 cve1 prion1 fedora1 openvas2 github1