CVE-2020-5227 — MEDIUM (4.4)

Q: How severe is CVE-2020-5227?

CVE-2020-5227 has been rated MEDIUM with a CVSS base score of 4.4/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2020-5227?

Check the references section above for vendor advisories and patch information. Affected products include: Feedgen Project Feedgen.

Vulnerability Description

Feedgen (python feedgen) before 0.9.0 is susceptible to XML Denial of Service attacks. The *feedgen* library allows supplying XML as content for some of the available fields. This XML will be parsed and integrated into the existing XML tree. During this process, feedgen is vulnerable to XML Denial of Service Attacks (e.g. XML Bomb). This becomes a concern in particular if feedgen is used to include content from untrused sources and if XML (including XHTML) is directly included instead of providing plain tex content only. This problem has been fixed in feedgen 0.9.0 which disallows XML entity expansion and external resources.

CVSS Score

4.4

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Feedgen Project	Feedgen	< 0.9.0

Related Weaknesses (CWE)

CWE-776

References

https://docs.microsoft.com/en-us/archive/msdn-magazine/2009/november/xml-denial-ExploitPatchThird Party Advisory
https://github.com/lkiesow/python-feedgen/commit/f57a01b20fa4aaaeccfa417f28e66b4Patch
https://github.com/lkiesow/python-feedgen/security/advisories/GHSA-g8q7-xv52-hf9Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://docs.microsoft.com/en-us/archive/msdn-magazine/2009/november/xml-denial-ExploitPatchThird Party Advisory
https://github.com/lkiesow/python-feedgen/commit/f57a01b20fa4aaaeccfa417f28e66b4Patch
https://github.com/lkiesow/python-feedgen/security/advisories/GHSA-g8q7-xv52-hf9Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro

FAQ

What is CVE-2020-5227?

CVE-2020-5227 is a vulnerability with a CVSS score of 4.4 (MEDIUM). Feedgen (python feedgen) before 0.9.0 is susceptible to XML Denial of Service attacks. The *feedgen* library allows supplying XML as content for some of the available fields. This XML will be parsed a...

How severe is CVE-2020-5227?

CVE-2020-5227 has been rated MEDIUM with a CVSS base score of 4.4/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-5227?

Check the references section above for vendor advisories and patch information. Affected products include: Feedgen Project Feedgen.