CVE-2022-27193

Description

CVRF-CSAF-Converter before 1.0.0-rc2 resolves XML External Entities (XXE). This leads to the inclusion of arbitrary (local) file content into the generated output document. An attacker can exploit this to disclose information from the system running the converter.

Related CPE's

acvrf-csaf-converter_projectcvrf-csaf-converter1.0.0alpha******

acvrf-csaf-converter_projectcvrf-csaf-converter1.0.0dev1******

acvrf-csaf-converter_projectcvrf-csaf-converter1.0.0dev2******

acvrf-csaf-converter_projectcvrf-csaf-converter1.0.0dev3******

acvrf-csaf-converter_projectcvrf-csaf-converter1.0.0rc1******

References

https://github.com/csaf-tools/CVRF-CSAF-Converter/releases/tag/1.0.0-rc2

Third Party Advisory

CvssV3 impact

BaseSeverity

MEDIUM

ConfidentialityImpact

HIGH

AttackComplexity

LOW

Scope

UNCHANGED

AttackVector

LOCAL

AvailabilityImpact

NONE

IntegrityImpact

NONE

PrivilegesRequired

NONE

BaseScore

5.5

VectorString

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Version

3.1

UserInteraction

REQUIRED

CvssV2 impact

AccessComplexity

MEDIUM

ConfidentialityImpact

PARTIAL

AvailabilityImpact

NONE

IntegrityImpact

NONE

BaseScore

4.300000190734863

VectorString

AV:N/AC:M/Au:N/C:P/I:N/A:N

Version

2.0

AccessVector

NETWORK

Authentication

NONE

Created by Yello
About Severity.io