ID CVE-2020-27197
Summary ** DISPUTED ** TAXII libtaxii through 1.1.117, as used in EclecticIQ OpenTAXII through 0.2.0 and other products, allows SSRF via an initial http:// substring to the parse method, even when the no_network setting is used for the XML parser. NOTE: the vendor points out that the parse method "wraps the lxml library" and that this may be an issue to "raise ... to the lxml group."
References
Vulnerable Configurations
  • cpe:2.3:a:eclecticiq:opentaxii:*:*:*:*:*:*:*:*
    cpe:2.3:a:eclecticiq:opentaxii:*:*:*:*:*:*:*:*
  • cpe:2.3:a:libtaxii_project:libtaxii:*:*:*:*:*:*:*:*
    cpe:2.3:a:libtaxii_project:libtaxii:*:*:*:*:*:*:*:*
CVSS
Base: 7.5 (as of 27-10-2020 - 19:51)
Impact:
Exploitability:
CWE CWE-918
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:L/Au:N/C:P/I:P/A:P
Last major update 27-10-2020 - 19:51
Published 17-10-2020 - 20:15
Last modified 27-10-2020 - 19:51
Back to Top