Miggo Logo

CVE-2020-5227: Feedgen Vulnerable to XML Denial of Service Attacks

4.4

CVSS Score
3.1

Basic Information

EPSS Score
0.70308%
Published
1/28/2020
Updated
9/20/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
feedgenpip< 0.9.00.9.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from unsafe XML parsing that allowed entity expansion. The commit f57a01b introduced secure parsing by: 1) Replacing etree.fromstring with xml_fromstring which uses a hardened parser configuration 2) Adding parser settings that disable DTD processing and entity expansion. The _add_text_elm function was directly processing user-controlled XML input using vulnerable parsing methods, while util.py's original XML handling lacked security controls. The patch specifically targeted these areas to mitigate XML DoS vulnerabilities.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T** *******n* li*r*ry *llows supplyin* XML *s *ont*nt *or som* o* t** *v*il**l* *i*l*s. T*is XML will ** p*rs** *n* int**r*t** into t** *xistin* XML tr**. *urin* t*is pro**ss, ******n is vuln*r**l* to [XML **ni*l o* S*rvi** *tt**ks](*ttps

Reasoning

T** vuln*r**ility st*mm** *rom uns*** XML p*rsin* t**t *llow** *ntity *xp*nsion. T** *ommit ******* intro*u*** s**ur* p*rsin* *y: *) R*pl**in* *tr**.*romstrin* wit* xml_*romstrin* w*i** us*s * **r**n** p*rs*r *on*i*ur*tion *) ***in* p*rs*r s*ttin*s t