CVE-2023-20052
CWE-611 — XML External Entity (XXE)CWE-776 — XML Entity Expansion (Billion Laughs)11 documents9 sources
Severity
5.3MEDIUM
EPSS
5.7%
top 9.59%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedMar 1
Latest updateMar 3
Description
On Feb 15, 2023, the following vulnerability in the ClamAV scanning library was disclosed:
A vulnerability in the DMG file parser of ClamAV versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier could allow an unauthenticated, remote attacker to access sensitive information on an affected device.
This vulnerability is due to enabling XML entity substitution that may result in XML external entity injection. An attacker could exploit this vulnerability by submitting a crafted DMG…
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4
Affected Packages7 packages
🔴Vulnerability Details
4OSV▶
CVE-2023-20052: On Feb 15, 2023, the following vulnerability in the ClamAV scanning library was disclosed: A vulnerability in the DMG file parser of ClamAV versions 1↗2023-03-01
GHSA▶
GHSA-pcr4-7r58-755h: On Feb 15, 2023, the following vulnerability in the ClamAV scanning library was disclosed: A vulnerability in the DMG file parser of ClamAV versions 1↗2023-03-01
CVEList▶
CVE-2023-20052: On Feb 15, 2023, the following vulnerability in the ClamAV scanning library was disclosed:
A vulnerability in the DMG file parser of ClamAV versions 1↗2023-02-16
📋Vendor Advisories
4Cisco▶
ClamAV DMG File Parsing XML Entity Expansion Vulnerability Affecting Cisco Products: February 2023↗2023-02-15
Microsoft▶
On Feb 15 2023 the following vulnerability in the ClamAV scanning library was disclosed:
A vulnerability in the DMG file parser of ClamAV versions 1.0.0 and earlier 0.105.1 and earlier and 0.103.↗2023-02-14
Debian▶
CVE-2023-20052: clamav - On Feb 15, 2023, the following vulnerability in the ClamAV scanning library was ...↗2023