Vulnerabilities > CVE-2020-5227 - XML Entity Expansion vulnerability in Feedgen Project Feedgen
Summary
Feedgen (python feedgen) before 0.9.0 is susceptible to XML Denial of Service attacks. The *feedgen* library allows supplying XML as content for some of the available fields. This XML will be parsed and integrated into the existing XML tree. During this process, feedgen is vulnerable to XML Denial of Service Attacks (e.g. XML Bomb). This becomes a concern in particular if feedgen is used to include content from untrused sources and if XML (including XHTML) is directly included instead of providing plain tex content only. This problem has been fixed in feedgen 0.9.0 which disallows XML entity expansion and external resources.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family | Fedora Local Security Checks |
NASL id | FEDORA_2020-8493201E90.NASL |
description | New upstream version 0.9.0 (fixes CVE-2020-5227) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. |
last seen | 2020-06-01 |
modified | 2020-06-02 |
plugin id | 133577 |
published | 2020-02-10 |
reporter | This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. |
source | https://www.tenable.com/plugins/nessus/133577 |
title | Fedora 31 : python-feedgen (2020-8493201e90) |
code |
|
References
- https://docs.microsoft.com/en-us/archive/msdn-magazine/2009/november/xml-denial-of-service-attacks-and-defenses
- https://docs.microsoft.com/en-us/archive/msdn-magazine/2009/november/xml-denial-of-service-attacks-and-defenses
- https://github.com/lkiesow/python-feedgen/commit/f57a01b20fa4aaaeccfa417f28e66b4084b9d0cf
- https://github.com/lkiesow/python-feedgen/commit/f57a01b20fa4aaaeccfa417f28e66b4084b9d0cf
- https://github.com/lkiesow/python-feedgen/security/advisories/GHSA-g8q7-xv52-hf9f
- https://github.com/lkiesow/python-feedgen/security/advisories/GHSA-g8q7-xv52-hf9f
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T6I5ENUYGFNMIH6ZQ62FZ6VU2WD3SIOI/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T6I5ENUYGFNMIH6ZQ62FZ6VU2WD3SIOI/