CVE-2022-27193
MEDIUMCVRF-CSAF-Converter < 1.0.0-rc2 - XML External Entity Injection
Title source: llmDescription
CVRF-CSAF-Converter before 1.0.0-rc2 resolves XML External Entities (XXE). This leads to the inclusion of arbitrary (local) file content into the generated output document. An attacker can exploit this to disclose information from the system running the converter.
References (1)
Core 1
Core References
Third Party Advisory x_refsource_misc
https://github.com/csaf-tools/CVRF-CSAF-Converter/releases/tag/1.0.0-rc2
Scores
CVSS v3
6.1
EPSS
0.0066
EPSS Percentile
46.7%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L
Details
CWE
CWE-611
Status
published
Products (2)
cvrf-csaf-converter_project/cvrf-csaf-converter
1.0.0 alpha (5 CPE variants)
pypi/cvrf2csaf
0 - 1.0.0rc2PyPI
Published
Mar 15, 2022
Tracked Since
Feb 18, 2026