CVE-2023-20052

MEDIUM

ClamAV <1.0.0 - Info Disclosure

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 4 public exploits for CVE-2023-20052. PoCs published by nokn0wthing, tralsesec, MOHITSINGHPAPOLA.

AI-analyzed exploit summary This repository provides a working proof-of-concept for CVE-2023-20052, an information leak vulnerability in ClamAV's DMG file parser. The exploit leverages an XXE (XML External Entity) injection to read arbitrary files (e.g., /etc/passwd) when a malicious DMG file is scanned.

Description

On Feb 15, 2023, the following vulnerability in the ClamAV scanning library was disclosed: A vulnerability in the DMG file parser of ClamAV versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier could allow an unauthenticated, remote attacker to access sensitive information on an affected device. This vulnerability is due to enabling XML entity substitution that may result in XML external entity injection. An attacker could exploit this vulnerability by submitting a crafted DMG file to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to leak bytes from any file that may be read by the ClamAV scanning process.

Exploits (4)

nomisec WORKING POC 27 stars
by nokn0wthing · poc
https://github.com/nokn0wthing/CVE-2023-20052

This repository provides a working proof-of-concept for CVE-2023-20052, an information leak vulnerability in ClamAV's DMG file parser. The exploit leverages an XXE (XML External Entity) injection to read arbitrary files (e.g., /etc/passwd) when a malicious DMG file is scanned.

Classification
Working Poc 90%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: ClamAV (versions affected by CVE-2023-20052)
No auth needed
Prerequisites: Docker · genisoimage · dmg · bbe · ClamAV installed on target system
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by tralsesec · poc
https://github.com/tralsesec/CVE-2023-20052

This repository contains a functional exploit for CVE-2023-20052, which leverages an XXE vulnerability in ClamAV to read arbitrary files. The exploit generates a malicious DMG file with an embedded XXE payload to exfiltrate file contents.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: ClamAV versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier
No auth needed
Prerequisites: Docker installed · Python 3 · Git
devstral-2 · analyzed May 17, 2026 Full analysis →
nomisec WORKING POC
by MOHITSINGHPAPOLA · poc
https://github.com/MOHITSINGHPAPOLA/CVE-2023-20052

This repository provides a fixed Docker build for exploiting CVE-2023-20052, a ClamAV XXE vulnerability. It resolves OpenSSL 3.0 compatibility issues by using Ubuntu 18.04 with OpenSSL 1.0, ensuring successful compilation of the exploit.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: ClamAV (versions affected by CVE-2023-20052)
No auth needed
Prerequisites: Docker · genisoimage · dmg · bbe
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by cY83rR0H1t · poc
https://github.com/cY83rR0H1t/CVE-2023-20052

This repository provides a working proof-of-concept for CVE-2023-20052, an XML External Entity (XXE) injection vulnerability in ClamAV's DMG file parser. The exploit demonstrates how to craft a malicious DMG file to leak sensitive information from the system running ClamAV.

Classification
Working Poc 90%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: ClamAV versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier
No auth needed
Prerequisites: ClamAV installed on a vulnerable version · Ability to submit a crafted DMG file for scanning
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Scores

CVSS v3 5.3
EPSS 0.0668
EPSS Percentile 93.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

CWE
CWE-611 CWE-776
Status published
Products (7)
cisco/secure_endpoint < 1.20.2
cisco/secure_endpoint < 1.21.1
cisco/secure_endpoint < 7.5.9
cisco/secure_endpoint_private_cloud < 3.6.0
clamav/clamav 1.0.0 (3 CPE variants)
clamav/clamav < 0.103.7
stormshield/stormshield_network_security 3.0.0 - 3.7.35
Published Mar 01, 2023
Tracked Since Feb 18, 2026