CVE-2020-11991

{"id": "CVE-2020-11991", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2020-09-11T14:15:11.160", "references": [{"url": "https://lists.apache.org/thread.html/r77add973ea521185e1a90aca00ba9dae7caa8d8b944d92421702bb54%40%3Cusers.cocoon.apache.org%3E", "tags": ["Exploit", "Mailing List", "Vendor Advisory"], "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread.html/r77add973ea521185e1a90aca00ba9dae7caa8d8b944d92421702bb54%40%3Cusers.cocoon.apache.org%3E", "tags": ["Exploit", "Mailing List", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-611"}]}], "descriptions": [{"lang": "en", "value": "When using the StreamGenerator, the code parse a user-provided XML. A specially crafted XML, including external system entities, could be used to access any file on the server system."}, {"lang": "es", "value": "Cuando se usa StreamGenerator, el c\u00f3digo analiza un XML proporcionado por el usuario. Se podr\u00eda usar un XML especialmente dise\u00f1ado, incluyendo las entidades de sistema externas, podr\u00eda ser usado para acceder a cualquier archivo en el sistema del servidor"}], "lastModified": "2024-11-21T04:59:04.053", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:cocoon:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "566C3048-B9BC-4F9E-A0F0-D354E431AE4C", "versionEndIncluding": "2.1.12", "versionStartIncluding": "2.1"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}