CVE-2020-24379
Published: 9 September 2020
WebDAV implementation in Yaws web server versions 1.81 to 2.0.7 is vulnerable to XXE injection.
From the Ubuntu Security Team
It was discovered that Yaws did not properly sanitize XML input. A remote attacker could use this vulnerability to execute an XML External Entity (XXE) injection attack.
Priority
Status
Package | Release | Status |
---|---|---|
yaws Launchpad, Ubuntu, Debian |
bionic |
Released
(2.0.4+dfsg-2ubuntu0.1)
|
focal |
Needed
|
|
groovy |
Ignored
(end of life)
|
|
hirsute |
Not vulnerable
(2.0.8+dfsg-1)
|
|
impish |
Not vulnerable
(2.0.8+dfsg-1)
|
|
jammy |
Not vulnerable
(2.0.8+dfsg-1)
|
|
kinetic |
Not vulnerable
(2.0.8+dfsg-1)
|
|
lunar |
Not vulnerable
(2.0.8+dfsg-1)
|
|
mantic |
Not vulnerable
(2.0.8+dfsg-1)
|
|
trusty |
Does not exist
|
|
upstream |
Released
(2.0.8+dfsg-1)
|
|
xenial |
Needed
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 9.8 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | High |
Availability impact | High |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |