CVE-2019-20627: AutoUpdater.NET allows XXE
9.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.62562%
CWE
Published
5/24/2022
Updated
9/26/2023
KEV Status
No
Technology
C#
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
Autoupdater.NET.Official | nuget | < 1.5.8 | 1.5.8 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from insecure XML parsing in the auto-update mechanism. The commit 1dc25f2 shows the fix explicitly sets XmlResolver=null
when creating the XmlDocument
in BackgroundWorkerDoWork
. Prior to this patch, the XmlDocument
default resolver was active, enabling XXE. The affected code path processes untrusted XML from update servers, making this the clear vulnerability source.