CVE-2022-27193

Published: Mar 15, 2022Modified: Nov 21, 2024

5.5

Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Exploitability: 1.8 / Impact: 3.6

Source: NVD

Description

CVRF-CSAF-Converter before 1.0.0-rc2 resolves XML External Entities (XXE). This leads to the inclusion of arbitrary (local) file content into the generated output document. An attacker can exploit this to disclose information from the system running the converter.

Affected (5)

Products: Cvrf Csaf Converter Project: Cvrf Csaf Converter

Cvrf Csaf Converter Project

1 product

Cvrf Csaf Converter

Configuration A

5 vulnerable

Vulnerable Software	Affected Versions
Cvrf Csaf Converter Project Cvrf Csaf Converter	Version 1.0.0 alpha
Cvrf Csaf Converter Project Cvrf Csaf Converter	Version 1.0.0 dev1
Cvrf Csaf Converter Project Cvrf Csaf Converter	Version 1.0.0 dev2
Cvrf Csaf Converter Project Cvrf Csaf Converter	Version 1.0.0 dev3
Cvrf Csaf Converter Project Cvrf Csaf Converter	Version 1.0.0 rc1

Related CWEs

CWE-611

Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

References (2)

https://github.com/csaf-tools/CVRF-CSAF-Converter/releases/tag/1.0.0-rc2

Source: cve@mitre.org

Third Party Advisory

https://github.com/csaf-tools/CVRF-CSAF-Converter/releases/tag/1.0.0-rc2

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.