CVE-2022-27193

CVRF-CSAF-Converter before 1.0.0-rc2 resolves XML External Entities (XXE). This leads to the inclusion of arbitrary (local) file content into the generated output document. An attacker can exploit this to disclose information from the system running the converter.

CVSS v3 6.1 MEDIUM
CVSS v2.0 4.3 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.8 / Impact : 4.2

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

4.3^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:P/I:N/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://github.com/csaf-tools/CVRF-CSAF-Converter/releases/tag/1.0.0-rc2	Third Party Advisory
https://github.com/csaf-tools/CVRF-CSAF-Converter/releases/tag/1.0.0-rc2	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:cvrf-csaf-converter_project:cvrf-csaf-converter:1.0.0:alpha::::::
	cpe:2.3:a:cvrf-csaf-converter_project:cvrf-csaf-converter:1.0.0:dev1::::::
	cpe:2.3:a:cvrf-csaf-converter_project:cvrf-csaf-converter:1.0.0:dev2::::::
	cpe:2.3:a:cvrf-csaf-converter_project:cvrf-csaf-converter:1.0.0:dev3::::::
	cpe:2.3:a:cvrf-csaf-converter_project:cvrf-csaf-converter:1.0.0:rc1::::::

History

21 Nov 2024, 06:55

Type	Values Removed	Values Added
CVSS	v2 : ~~4.3~~ v3 : ~~5.5~~	v2 : 4.3 v3 : 6.1
References	~~() https://github.com/csaf-tools/CVRF-CSAF-Converter/releases/tag/1.0.0-rc2 - Third Party Advisory~~	() https://github.com/csaf-tools/CVRF-CSAF-Converter/releases/tag/1.0.0-rc2 - Third Party Advisory

08 Aug 2023, 14:21

Type	Values Removed	Values Added
CWE	~~CWE-552~~	CWE-611

Information

Published : 2022-03-15 05:15

Updated : 2024-11-21 06:55

NVD link : CVE-2022-27193

Mitre link : CVE-2022-27193

CVE.ORG link : CVE-2022-27193

JSON object : View

Products Affected

cvrf-csaf-converter_project

cvrf-csaf-converter

CWE

CWE-611

Improper Restriction of XML External Entity Reference

{"id": "CVE-2022-27193", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Secondary", "source": "cve@mitre.org", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 4.2, "exploitabilityScore": 1.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2022-03-15T05:15:07.193", "references": [{"url": "https://github.com/csaf-tools/CVRF-CSAF-Converter/releases/tag/1.0.0-rc2", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/csaf-tools/CVRF-CSAF-Converter/releases/tag/1.0.0-rc2", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-611"}]}], "descriptions": [{"lang": "en", "value": "CVRF-CSAF-Converter before 1.0.0-rc2 resolves XML External Entities (XXE). This leads to the inclusion of arbitrary (local) file content into the generated output document. An attacker can exploit this to disclose information from the system running the converter."}, {"lang": "es", "value": "CVRF-CSAF-Converter versiones anteriores a 1.0.0-rc2, resuelve vulnerabilidades de tipo XML External Entities (XXE). Esto conlleva a una inclusi\u00f3n de contenido de archivo arbitrario (local) en el documento de salida generado. Un atacante puede explotar esto para divulgar informaci\u00f3n del sistema que ejecuta el convertidor"}], "lastModified": "2024-11-21T06:55:22.957", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:cvrf-csaf-converter_project:cvrf-csaf-converter:1.0.0:alpha:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D9BB46F8-EDF9-4804-8AA3-59A4B9349757"}, {"criteria": "cpe:2.3:a:cvrf-csaf-converter_project:cvrf-csaf-converter:1.0.0:dev1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B5639483-FB0F-4FD1-A251-42C9E0640E7B"}, {"criteria": "cpe:2.3:a:cvrf-csaf-converter_project:cvrf-csaf-converter:1.0.0:dev2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4C56DD07-77B0-44B6-99BA-28E80F689E47"}, {"criteria": "cpe:2.3:a:cvrf-csaf-converter_project:cvrf-csaf-converter:1.0.0:dev3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BD3110DC-B7AB-44AE-9A88-CE1746092524"}, {"criteria": "cpe:2.3:a:cvrf-csaf-converter_project:cvrf-csaf-converter:1.0.0:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C643CA3F-0C15-4A2E-87DB-7852B052DE0B"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}