CVE-2020-5227
published 2020-01-28CVE-2020-5227: Feedgen (python feedgen) before 0.9.0 is susceptible to XML Denial of Service attacks. The *feedgen* library allows supplying XML as content for some of the…
PriorityP338high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
1.64%
73.3th percentile
Feedgen (python feedgen) before 0.9.0 is susceptible to XML Denial of Service attacks. The *feedgen* library allows supplying XML as content for some of the available fields. This XML will be parsed and integrated into the existing XML tree. During this process, feedgen is vulnerable to XML Denial of Service Attacks (e.g. XML Bomb). This becomes a concern in particular if feedgen is used to include content from untrused sources and if XML (including XHTML) is directly included instead of providing plain tex content only. This problem has been fixed in feedgen 0.9.0 which disallows XML entity expansion and external resources.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| feedgen_project | feedgen | < 0.9.0 | 0.9.0 |
| feedgen_project | feedgen | >= 0 < f57a01b20fa4aaaeccfa417f28e66b4084b9d0cf | f57a01b20fa4aaaeccfa417f28e66b4084b9d0cf |
| feedgen_project | feedgen | >= 0 < 0.9.0 | 0.9.0 |
| lkiesow | python-feedgen | < 0.9.0 | 0.9.0 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2020-5227: Feedgen (python feedgen) before 0
osv·2020-01-28
CVE-2020-5227 CVE-2020-5227: Feedgen (python feedgen) before 0
Feedgen (python feedgen) before 0.9.0 is susceptible to XML Denial of Service attacks. The *feedgen* library allows supplying XML as content for some of the available fields. This XML will be parsed and integrated into the existing XML tree. During this process, feedgen is vulnerable to XML Denial of Service Attacks (e.g. XML Bomb). This becomes a concern in particular if feedgen is used to include content from untrused sources and if XML (including XHTML) is directly included instead of providing plain tex content only. This problem has been fixed in feedgen 0.9.0 which disallows XML entity expansion and external resources.
OSV
Feedgen Vulnerable to XML Denial of Service Attacks
osv·2020-01-28
CVE-2020-5227 [MEDIUM] Feedgen Vulnerable to XML Denial of Service Attacks
Feedgen Vulnerable to XML Denial of Service Attacks
### Impact
The *feedgen* library allows supplying XML as content for some of the available fields. This XML will be parsed and integrated into the existing XML tree. During this process, feedgen is vulnerable to [XML Denial of Service Attacks](https://docs.microsoft.com/en-us/archive/msdn-magazine/2009/november/xml-denial-of-service-attacks-and-defenses) (e.g. XML Bomb).
This becomes a concern in particular if feedgen is used to include content from untrused sources and if XML (including XHTML) is directly included instead of providing plain tex content only.
### Patches
This problem has been fixed in feedgen 0.9.0 which disallows XML entity expansion and external resources.
### Workarounds
Updating is strongly recommended and shou
GHSA
Feedgen Vulnerable to XML Denial of Service Attacks
ghsa·2020-01-28
CVE-2020-5227 [MEDIUM] CWE-776 Feedgen Vulnerable to XML Denial of Service Attacks
Feedgen Vulnerable to XML Denial of Service Attacks
### Impact
The *feedgen* library allows supplying XML as content for some of the available fields. This XML will be parsed and integrated into the existing XML tree. During this process, feedgen is vulnerable to [XML Denial of Service Attacks](https://docs.microsoft.com/en-us/archive/msdn-magazine/2009/november/xml-denial-of-service-attacks-and-defenses) (e.g. XML Bomb).
This becomes a concern in particular if feedgen is used to include content from untrused sources and if XML (including XHTML) is directly included instead of providing plain tex content only.
### Patches
This problem has been fixed in feedgen 0.9.0 which disallows XML entity expansion and external resources.
### Workarounds
Updating is strongly recommended and shou
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://docs.microsoft.com/en-us/archive/msdn-magazine/2009/november/xml-denial-of-service-attacks-and-defenseshttps://github.com/lkiesow/python-feedgen/commit/f57a01b20fa4aaaeccfa417f28e66b4084b9d0cfhttps://github.com/lkiesow/python-feedgen/security/advisories/GHSA-g8q7-xv52-hf9fhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T6I5ENUYGFNMIH6ZQ62FZ6VU2WD3SIOI/https://docs.microsoft.com/en-us/archive/msdn-magazine/2009/november/xml-denial-of-service-attacks-and-defenseshttps://github.com/lkiesow/python-feedgen/commit/f57a01b20fa4aaaeccfa417f28e66b4084b9d0cfhttps://github.com/lkiesow/python-feedgen/security/advisories/GHSA-g8q7-xv52-hf9fhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T6I5ENUYGFNMIH6ZQ62FZ6VU2WD3SIOI/
2020-01-28
Published