Miggo Logo

CVE-2022-27193: XML External Entities Vulnerability in CVRF-CSAF-Converter

6.1

CVSS Score
3.1

Basic Information

EPSS Score
0.40917%
Published
3/16/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
cvrf2csafpip<= 1.0.0rc11.0.0rc2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper XML parsing that resolves external entities. In Python-based XML processing, this typically occurs when using parsers like lxml or xml.etree.ElementTree without disabling DTD/external entities. The CVRF-to-CSAF conversion process inherently involves XML parsing, and the patch in 1.0.0-rc2 would have required modifying the XML parser configuration. While exact code isn't provided, the pattern matches XXE vulnerabilities where the root cause is an insecure XML parsing function handling user-supplied input.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*VR*-*S**-*onv*rt*r ***or* *.*.*-r** r*solv*s XML *xt*rn*l *ntiti*s (XX*). T*is l***s to t** in*lusion o* *r*itr*ry (lo**l) *il* *ont*nt into t** **n*r*t** output *o*um*nt. *n *tt**k*r **n *xploit t*is to *is*los* in*orm*tion *rom t** syst*m runnin*

Reasoning

T** vuln*r**ility st*ms *rom improp*r XML p*rsin* t**t r*solv*s *xt*rn*l *ntiti*s. In Pyt*on-**s** XML pro**ssin*, t*is typi**lly o**urs w**n usin* p*rs*rs lik* `lxml` or `xml.*tr**.*l*m*ntTr**` wit*out *is**lin* *T*/*xt*rn*l *ntiti*s. T** *VR*-to-*S