NVD Vulnerability Detail

CVE-2020-5227

Summary	Feedgen (python feedgen) before 0.9.0 is susceptible to XML Denial of Service attacks. The feedgen library allows supplying XML as content for some of the available fields. This XML will be parsed and integrated into the existing XML tree. During this process, feedgen is vulnerable to XML Denial of Service Attacks (e.g. XML Bomb). This becomes a concern in particular if feedgen is used to include content from untrused sources and if XML (including XHTML) is directly included instead of providing plain tex content only. This problem has been fixed in feedgen 0.9.0 which disallows XML entity expansion and external resources.
Publication Date	Jan. 29, 2020, 8:15 a.m.
Registration Date	Jan. 26, 2021, 11:59 a.m.
Last Update	Nov. 21, 2024, 2:33 p.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:feedgen_project:feedgen::::::python::*					0.9.0

Related information, measures and tools

No	URL	タグ
1	https://docs.microsoft.com/en-us/archive/msdn-magazine/2009/november/xml-denial-of-service-attacks-and-defenses	Exploit Patch Third Party Advisory Vendor Advisory
2	https://docs.microsoft.com/en-us/archive/msdn-magazine/2009/november/xml-denial-of-service-attacks-and-defenses	Exploit Patch Third Party Advisory Vendor Advisory
3	https://github.com/lkiesow/python-feedgen/commit/f57a01b20fa4aaaeccfa417f28e66b4084b9d0cf	Patch
4	https://github.com/lkiesow/python-feedgen/commit/f57a01b20fa4aaaeccfa417f28e66b4084b9d0cf	Patch
5	https://github.com/lkiesow/python-feedgen/security/advisories/GHSA-g8q7-xv52-hf9f	Third Party Advisory
6	https://github.com/lkiesow/python-feedgen/security/advisories/GHSA-g8q7-xv52-hf9f	Third Party Advisory
7	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T6I5ENUYGFNMIH6ZQ62FZ6VU2WD3SIOI/
8	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T6I5ENUYGFNMIH6ZQ62FZ6VU2WD3SIOI/

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-776	DTD の再帰的なエンティティ参照の不適切な制限	https://cwe.mitre.org/data/definitions/776.html

JVN Vulnerability Information

Feedgen におけるDTD の再帰的なエンティティ参照の不適切な制限に関する脆弱性

Title	Feedgen におけるDTD の再帰的なエンティティ参照の不適切な制限に関する脆弱性
Summary	Feedgen (python feedgen) には、DTD の再帰的なエンティティ参照の不適切な制限に関する脆弱性が存在します。
Possible impacts	サービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Jan. 28, 2020, midnight
Registration Date	Feb. 19, 2020, 1:53 p.m.
Last Update	Feb. 19, 2020, 1:53 p.m.

Affected System

feedgen project

Feedgen 0.9.0 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2020-5227	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5227
National Vulnerability Database (NVD)
2	CVE-2020-5227	https://nvd.nist.gov/vuln/detail/CVE-2020-5227

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-776	http://cwe.mitre.org/data/definitions/776.html

ベンダー情報

No	Name	URL
GitHub
1	Feedgen Vulnerable Against XML Denial of Service Attacks	https://github.com/lkiesow/python-feedgen/security/advisories/GHSA-g8q7-xv52-hf9f
2	Merge pull request from GHSA-g8q7-xv52-hf9f	https://github.com/lkiesow/python-feedgen/commit/f57a01b20fa4aaaeccfa417f28e66b4084b9d0cf

その他

No	Name	URL
関連文書
1	Security Briefs - XML Denial of Service Attacks and Defenses	https://docs.microsoft.com/en-us/archive/msdn-magazine/2009/november/xml-denial-of-service-attacks-and-defenses

Change Log

No	Changed Details	Date of change
1	[2020年02月19日] 掲載	Feb. 19, 2020, 1:53 p.m.