CVE-2020-24379 — XML External Entity (XXE) Injection in Yaws

CWE-611 — XML External Entity (XXE) Injection10 documents7 sources

Severity

9.8CRITICALNVD

EPSS

1.1%

top 21.87%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Yaws Canonical Ubuntu Linux Debian Linux

Timeline

PublishedSep 9

Latest updateMay 24

Description

WebDAV implementation in Yaws web server versions 1.81 to 2.0.7 is vulnerable to XXE injection.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶Debianyaws/yaws< 2.0.8+dfsg-1+3

▶Ubuntuyaws/yaws< 2.0.4+dfsg-2ubuntu0.1

▶NVDyaws/yaws1.81 — 2.0.7

Also affects: Debian Linux 10.0, 9.0, Ubuntu Linux 18.04

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-xq76-5h8q-6j3h: WebDAV implementation in Yaws web server versions 1↗2022-05-24

▶

OSV

yaws vulnerabilities↗2020-10-05

▶

OSV

CVE-2020-24379: WebDAV implementation in Yaws web server versions 1↗2020-09-09

▶

CVEList

CVE-2020-24379: WebDAV implementation in Yaws web server versions 1↗2020-09-09

▶

📋Vendor Advisories

Ubuntu

Yaws vulnerabilities↗2020-10-05

▶

Debian

CVE-2020-24379: yaws - WebDAV implementation in Yaws web server versions 1.81 to 2.0.7 is vulnerable to...↗2020

▶

💬Community

Bugzilla

CVE-2020-24379 yaws: XXE injection WebDAV implementation [fedora-31]↗2020-09-14

▶

Bugzilla

CVE-2020-24379 yaws: XXE injection WebDAV implementation↗2020-09-14

▶

Bugzilla

CVE-2020-24379 yaws: XXE injection WebDAV implementation [epel-7]↗2020-09-14

▶