CVE-2020-27197

CRITICAL

libtaxii < 1.1.117 and OpenTAXII < 0.2.0 - Server-Side Request Forgery via Parse Method

Title source: llm

Description

TAXII libtaxii through 1.1.117, as used in EclecticIQ OpenTAXII through 0.2.0 and other products, allows SSRF via an initial http:// substring to the parse method, even when the no_network setting is used for the XML parser. NOTE: the vendor points out that the parse method "wraps the lxml library" and that this may be an issue to "raise ... to the lxml group.

References (3)

Core 3

Core References

Exploit, Third Party Advisory x_refsource_misc

https://github.com/eclecticiq/OpenTAXII/issues/176

Exploit, Third Party Advisory x_refsource_misc

https://github.com/TAXIIProject/libtaxii/issues/246

Exploit, Third Party Advisory x_refsource_misc

http://packetstormsecurity.com/files/159662/Libtaxii-1.1.117-OpenTaxi-0.2.0-Server-Side-Request-Forgery.html

Scores

CVSS v3 9.8

EPSS 0.0225

EPSS Percentile 80.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-918

Status published

Products (3)

eclecticiq/opentaxii < 0.2.0

libtaxii_project/libtaxii < 1.1.117

pypi/libtaxii 0 - 1.1.118PyPI

Published Oct 17, 2020

Tracked Since Feb 18, 2026