CVE-2020-5227 : Feedgen (python feedgen) before 0.9.0 is susceptible to XML Denial of Service at

Feedgen (python feedgen) before 0.9.0 is susceptible to XML Denial of Service attacks. The *feedgen* library allows supplying XML as content for some of the available fields. This XML will be parsed and integrated into the existing XML tree. During this process, feedgen is vulnerable to XML Denial of Service Attacks (e.g. XML Bomb). This becomes a concern in particular if feedgen is used to include content from untrused sources and if XML (including XHTML) is directly included instead of providing plain tex content only. This problem has been fixed in feedgen 0.9.0 which disallows XML entity expansion and external resources.

Published 2020-01-28 23:15:13

Updated 2020-02-08 04:15:12

Source GitHub, Inc.

View at NVD, CVE.org

Vulnerability category: Denial of service

Products affected by CVE-2020-5227

Feedgen Project » Feedgen » For Python
Versions before (<) 0.9.0
cpe:2.3:a:feedgen_project:feedgen:*:*:*:*:*:python:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2020-5227

EPSS FAQ

0.80%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 72 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2020-5227

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.0	MEDIUM	AV:N/AC:L/Au:N/C:N/I:N/A:P	10.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Partial
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H	3.9	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High
4.4	MEDIUM	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H	0.7	3.6	GitHub, Inc.
Attack Vector: Network Attack Complexity: High Privileges Required: High User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High

CWE ids for CVE-2020-5227

CWE-776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.
Assigned by:
- nvd@nist.gov (Primary)
- security-advisories@github.com (Secondary)

References for CVE-2020-5227

https://docs.microsoft.com/en-us/archive/msdn-magazine/2009/november/xml-denial-of-service-attacks-and-defenses

XML Denial of Service Attacks and Defenses | Microsoft Docs
Exploit;Patch;Third Party Advisory;Vendor Advisory
https://github.com/lkiesow/python-feedgen/commit/f57a01b20fa4aaaeccfa417f28e66b4084b9d0cf

Merge pull request from GHSA-g8q7-xv52-hf9f · lkiesow/python-feedgen@f57a01b · GitHub
Patch
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T6I5ENUYGFNMIH6ZQ62FZ6VU2WD3SIOI/

[SECURITY] Fedora 31 Update: python-feedgen-0.9.0-1.fc31 - package-announce - Fedora Mailing-Lists
https://github.com/lkiesow/python-feedgen/security/advisories/GHSA-g8q7-xv52-hf9f

Feedgen Vulnerable Against XML Denial of Service Attacks · Advisory · lkiesow/python-feedgen · GitHub
Third Party Advisory

Jump to

Vulnerability Details : CVE-2020-5227

Products affected by CVE-2020-5227

Exploit prediction scoring system (EPSS) score for CVE-2020-5227

CVSS scores for CVE-2020-5227

CWE ids for CVE-2020-5227

References for CVE-2020-5227