CVE-2020-27197
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2020-27197
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-27197.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2020-27197
- Aliases
- Withdrawn
- 2020-10-21T17:06:23Z
- Published
- 2020-10-17T20:15:10Z
- Modified
- 2025-01-14T08:40:03.587774Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
TAXII libtaxii through 1.1.117, as used in EclecticIQ OpenTAXII through 0.2.0 and other products, allows SSRF via an initial http:// substring to the parse method, even when the no_network setting is used for the XML parser. NOTE: the vendor points out that the parse method "wraps the lxml library" and that this may be an issue to "raise ... to the lxml group.
- References
Affected packages
Git / github.com/eclecticiq/opentaxii
Affected ranges
- Type
- GIT
- Repo
- https://github.com/eclecticiq/opentaxii
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedLast affected
- Type
- GIT
- Repo
- https://github.com/taxiiproject/libtaxii
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedLast affected
Affected versions
0.*
0.1.0
0.1.1
0.1.10
0.1.11
0.1.12
0.1.2
0.1.3
0.1.4
0.1.5
0.1.6
0.1.7
0.1.8
0.1.9
0.2.0
1.*
1.0.000draft
1.0.090
1.0.100
1.0.101
1.0.102
1.0.103
1.0.104
1.0.105
1.0.106
1.0.107
1.1.100
1.1.101
1.1.102
1.1.103
1.1.104
1.1.105
1.1.106
1.1.107
1.1.108
1.1.109
1.1.110
1.1.111
1.1.112
1.1.113
1.1.114
1.1.115
1.1.116
1.1.117