CVE-2021-32754

EPSS 0.31%
Veröffentlicht 12.07.2021 23:15:07
Zuletzt bearbeitet 21.11.2024 06:07:40
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

FlowDroid is a data flow analysis tool. FlowDroid versions prior to 2.9.0 contained an XML external entity (XXE) vulnerability that allowed an attacker who had control over the source/sink definition file in XML format to read files from external locations. In order for this to occur, the XML-based format for sources and sinks had to be used and the attacker had to able control the source/sink definition file. The vulnerability was patched in version 2.9.0. As a workaround, do not allow untrusted entities to control the source/sink definition file.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Flowdroid Project ≫ Flowdroid Version < 2.9.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.31%	0.507

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.3	1.6	3.6	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov	3.5	6.8	2.9	AV:N/AC:M/Au:S/C:P/I:N/A:N
security-advisories@github.com	5.3	1.6	3.6	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE-611 Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

https://github.com/secure-software-engineering/FlowDroid/security/advisories/GHSA-39r7-275f-rvgw

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2021-32754

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-32754

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-32754

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2021-32754