Miggo Logo

CVE-2019-1000007: Depth counting error in guard() leading to multiple potential security issues in aioxmpp

7.4

CVSS Score
3.1

Basic Information

EPSS Score
0.57584%
Published
4/29/2020
Updated
9/4/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
aioxmpppip< 0.10.30.10.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability is explicitly attributed to the guard() function in multiple sources: 1) The CVE title directly references guard() 2) The commit diff shows critical modifications to the guard() function's depth tracking logic 3) The advisory describes how improper depth counting in guard() leads to XML context confusion 4) The patch specifically restructures guard()'s error handling and depth management. The function's role in managing XML parser event routing makes it the clear vulnerability source when combined with error suppression mechanisms.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t Possi*l* r*mot* **ni*l o* S*rvi** or **t* Inj**tion. ### P*t***s P*t***s *r* *v*il**l* in *ttps://*it*u*.*om/*or*zont/*ioxmpp/pull/***. T**y **v* ***n ***kport** to t** *.** r*l**s* s*ri*s *n* *.**.* is t** *irst r*l**s* to *ont*in t** *i

Reasoning

T** vuln*r**ility is *xpli*itly *ttri*ut** to t** `*u*r*()` *un*tion in multipl* sour**s: *) T** *V* titl* *ir**tly r***r*n**s `*u*r*()` *) T** *ommit *i** s*ows *riti**l mo*i*i**tions to t** `*u*r*()` *un*tion's **pt* tr**kin* lo*i* *) T** **visory