Описание
CVRF-CSAF-Converter before 1.0.0-rc2 resolves XML External Entities (XXE). This leads to the inclusion of arbitrary (local) file content into the generated output document. An attacker can exploit this to disclose information from the system running the converter.
Ссылки
- Third Party Advisory
- Third Party Advisory
Уязвимые конфигурации
Конфигурация 1
Одно из
cpe:2.3:a:cvrf-csaf-converter_project:cvrf-csaf-converter:1.0.0:alpha:*:*:*:*:*:*
cpe:2.3:a:cvrf-csaf-converter_project:cvrf-csaf-converter:1.0.0:dev1:*:*:*:*:*:*
cpe:2.3:a:cvrf-csaf-converter_project:cvrf-csaf-converter:1.0.0:dev2:*:*:*:*:*:*
cpe:2.3:a:cvrf-csaf-converter_project:cvrf-csaf-converter:1.0.0:dev3:*:*:*:*:*:*
cpe:2.3:a:cvrf-csaf-converter_project:cvrf-csaf-converter:1.0.0:rc1:*:*:*:*:*:*
EPSS
Процентиль: 42%
0.00196
Низкий
6.1 Medium
CVSS3
5.5 Medium
CVSS3
4.3 Medium
CVSS2
Дефекты
CWE-611
Связанные уязвимости
CVSS3: 6.1
github
почти 4 года назад
XML External Entities Vulnerability in CVRF-CSAF-Converter
EPSS
Процентиль: 42%
0.00196
Низкий
6.1 Medium
CVSS3
5.5 Medium
CVSS3
4.3 Medium
CVSS2
Дефекты
CWE-611