Vulnerabilities > CVE-2022-27193 - XXE vulnerability in Cvrf-Csaf-Converter Project Cvrf-Csaf-Converter 1.0.0

CVSS 5.5 - MEDIUM

Attack vector

LOCAL

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

NONE

Availability impact

NONE

local

low complexity

cvrf-csaf-converter-project

CWE-611

NVD

Published: 2022-03-15

Updated: 2023-08-08

Summary

CVRF-CSAF-Converter before 1.0.0-rc2 resolves XML External Entities (XXE). This leads to the inclusion of arbitrary (local) file content into the generated output document. An attacker can exploit this to disclose information from the system running the converter.

Vulnerable Configurations

Part	Description	Count
Application	Cvrf-Csaf-Converter_Project Cvrf Csaf Converter Project Cvrf Csaf Converter 1.0.0	5

Common Weakness Enumeration (CWE)

CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')

References

https://github.com/csaf-tools/CVRF-CSAF-Converter/releases/tag/1.0.0-rc2