CVE-2022-27193

CVRF-CSAF-Converter before 1.0.0-rc2 resolves XML External Entities (XXE). This leads to the inclusion of arbitrary (local) file content into the generated output document. An attacker can exploit this to disclose information from the system running the converter.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.1 MEDIUM
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L
mitreCNA
6.1 MEDIUM
LOCAL
LOW
NONE
CVSS:3.1/AC:L/AV:L/A:L/C:H/I:N/PR:N/S:U/UI:R
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 41%
VendorProductVersion
cvrf-csaf-converter_projectcvrf-csaf-converter
1.0.0:alpha
cvrf-csaf-converter_projectcvrf-csaf-converter
1.0.0:dev1
cvrf-csaf-converter_projectcvrf-csaf-converter
1.0.0:dev2
cvrf-csaf-converter_projectcvrf-csaf-converter
1.0.0:dev3
cvrf-csaf-converter_projectcvrf-csaf-converter
1.0.0:rc1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/csaf-tools/CVRF-CSAF-Converter/releases/tag/1.0.0-rc2
https://github.com/csaf-tools/CVRF-CSAF-Converter/releases/tag/1.0.0-rc2