9.8

CVE-2020-24379

Exploit
WebDAV implementation in Yaws web server versions 1.81 to 2.0.7 is vulnerable to XXE injection.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
YawsYaws Version >= 1.81 <= 2.0.7
CanonicalUbuntu Linux Version18.04 SwEditionlts
DebianDebian Linux Version9.0
DebianDebian Linux Version10.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 3.35% 0.871
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 6.8 8.6 6.4
AV:N/AC:M/Au:N/C:P/I:P/A:P
CWE-611 Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

https://github.com/erlyaws/yaws/commits/master
Patch
Third Party Advisory
https://github.com/vulnbe/poc-yaws-dav-xxe
Third Party Advisory
Exploit
https://lists.debian.org/debian-lts-announce/2020/09/msg00022.html
Third Party Advisory
Mailing List
https://packetstormsecurity.com/files/159106/Yaws-2.0.7-XML-Injection-Command-Injection.html
Third Party Advisory
Exploit
VDB Entry
https://usn.ubuntu.com/4569-1/
Third Party Advisory
https://vuln.be/post/yaws-xxe-and-shell-injections/
Third Party Advisory
Broken Link
https://www.debian.org/security/2020/dsa-4773
Third Party Advisory