CVE-2021-23418
Published: 29 July 2021
The package glances before 3.2.1 are vulnerable to XML External Entity (XXE) Injection via the use of Fault to parse untrusted XML data, which is known to be vulnerable to XML attacks.
Priority
Status
Package | Release | Status |
---|---|---|
glances Launchpad, Ubuntu, Debian |
bionic |
Released
(2.11.1-3ubuntu0.1~esm1)
Available with Ubuntu Pro |
focal |
Released
(3.1.3-1ubuntu0.1~esm1)
Available with Ubuntu Pro |
|
hirsute |
Ignored
(end of life)
|
|
impish |
Ignored
(end of life)
|
|
jammy |
Not vulnerable
(3.2.3.1+dfsg-1)
|
|
kinetic |
Not vulnerable
(3.2.3.1+dfsg-1)
|
|
lunar |
Not vulnerable
(3.2.3.1+dfsg-1)
|
|
mantic |
Not vulnerable
(3.2.3.1+dfsg-1)
|
|
noble |
Not vulnerable
(3.2.3.1+dfsg-1)
|
|
trusty |
Does not exist
|
|
upstream |
Released
(3.2.1)
|
|
xenial |
Released
(2.3-1ubuntu0.1~esm1)
Available with Ubuntu Pro |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 9.8 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | High |
Availability impact | High |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References
- https://github.com/nicolargo/glances/commit/85d5a6b4af31fcf785d5a61086cbbd166b40b07a
- https://github.com/nicolargo/glances/issues/1025
- https://snyk.io/vuln/SNYK-PYTHON-GLANCES-1311807
- https://github.com/nicolargo/glances/commit/9d6051be4a42f692392049fdbfc85d5dfa458b32
- https://github.com/nicolargo/glances/commit/4b87e979afdc06d98ed1b48da31e69eaa3a9fb94
- https://ubuntu.com/security/notices/USN-5187-1
- https://www.cve.org/CVERecord?id=CVE-2021-23418
- NVD
- Launchpad
- Debian