Vulnerability Description
TAXII libtaxii through 1.1.117, as used in EclecticIQ OpenTAXII through 0.2.0 and other products, allows SSRF via an initial http:// substring to the parse method, even when the no_network setting is used for the XML parser. NOTE: the vendor points out that the parse method "wraps the lxml library" and that this may be an issue to "raise ... to the lxml group.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Eclecticiq | Opentaxii | <= 0.2.0 |
| Libtaxii Project | Libtaxii | <= 1.1.117 |
Related Weaknesses (CWE)
References
- http://packetstormsecurity.com/files/159662/Libtaxii-1.1.117-OpenTaxi-0.2.0-ServExploitThird Party Advisory
- https://github.com/TAXIIProject/libtaxii/issues/246ExploitThird Party Advisory
- https://github.com/eclecticiq/OpenTAXII/issues/176ExploitThird Party Advisory
- http://packetstormsecurity.com/files/159662/Libtaxii-1.1.117-OpenTaxi-0.2.0-ServExploitThird Party Advisory
- https://github.com/TAXIIProject/libtaxii/issues/246ExploitThird Party Advisory
- https://github.com/eclecticiq/OpenTAXII/issues/176ExploitThird Party Advisory
FAQ
What is CVE-2020-27197?
CVE-2020-27197 is a vulnerability with a CVSS score of 9.8 (CRITICAL). TAXII libtaxii through 1.1.117, as used in EclecticIQ OpenTAXII through 0.2.0 and other products, allows SSRF via an initial http:// substring to the parse method, even when the no_network setting is ...
How severe is CVE-2020-27197?
CVE-2020-27197 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2020-27197?
Check the references section above for vendor advisories and patch information. Affected products include: Eclecticiq Opentaxii, Libtaxii Project Libtaxii.