CVE-2022-27193 – cvrf2csaf

Package

Manager: pip
Name: cvrf2csaf
Vulnerable Version: >=0 <1.0.0rc2

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00186 pctl0.40644

Details

XML External Entities Vulnerability in CVRF-CSAF-Converter CVRF-CSAF-Converter before 1.0.0-rc2 resolves XML External Entities (XXE). This leads to the inclusion of arbitrary (local) file content into the generated output document. An attacker can exploit this to disclose information from the system running the converter.

Metadata

Created: 2022-03-16T00:00:49Z
Modified: 2022-03-18T23:52:30Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-m8gq-83gh-v42v/GHSA-m8gq-83gh-v42v.json
CWE IDs: ["CWE-552", "CWE-611"]
Alternative ID: GHSA-m8gq-83gh-v42v
Finding: F083
Auto approve: 1