CVE-2020-27197 Information

Feb 14, 2021 cve

Description

LICENSE README.md cvefilelist cvelist nvdcve nvdpages.sh scripts test-CVE-2017-1882.markdown test-CVE-2017-18822.markdown tmpvendorlinks DISPUTED LICENSE README.md cvefilelist cvelist nvdcve nvdpages.sh scripts test-CVE-2017-1882.markdown test-CVE-2017-18822.markdown tmpvendorlinks TAXII libtaxii through 1.1.117 as used in EclecticIQ OpenTAXII through 0.2.0 and other products allows SSRF via an initial http:// substring to the parse method even when the no_network setting is used for the XML parser. NOTE: the vendor points out that the parse method \wraps the lxml library\ and that this may be an issue to \raise … to the lxml group.\

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Reference

http://packetstormsecurity.com/files/159662/Libtaxii-1.1.117-OpenTaxi-0.2.0-Server-Side-Request-Forgery.html https://github.com/eclecticiq/OpenTAXII/issues/176 https://github.com/TAXIIProject/libtaxii/issues/246

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

9.8

Share on: