CVE-2021-23418 - Vulnerability Details - OpenCVE

The package glances before 3.2.1 are vulnerable to XML External Entity (XXE) Injection via the use of Fault to parse untrusted XML data, which is known to be vulnerable to XML attacks.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00381.

Key SSVC decision points have not yet been added.

Vendors	Products
Glances Project	Glances

Configuration 1 [-]

cpe:2.3:a:glances_project:glances:*:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2021-0094	The package glances before 3.2.1 are vulnerable to XML External Entity (XXE) Injection via the use of Fault to parse untrusted XML data, which is known to be vulnerable to XML attacks.\n
Github GHSA	GHSA-r2mj-8wgq-73m6	XML External Entity Reference in Glances
Ubuntu USN	USN-5187-1	Glances vulnerability

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/nicolargo/glances/commit/4b87e979afdc06d98ed1b48da31e69eaa3a9fb94
https://github.com/nicolargo/glances/commit/85d5a6b4af31fcf785d5a61086cbbd166b40b07a
https://github.com/nicolargo/glances/commit/9d6051be4a42f692392049fdbfc85d5dfa458b32
https://github.com/nicolargo/glances/issues/1025
https://snyk.io/vuln/SNYK-PYTHON-GLANCES-1311807

History

No history.

MITRE

Status: PUBLISHED

Assigner: snyk

Published: 2021-07-29T17:50:12.851255Z

Updated: 2024-09-16T17:38:39.943Z

Reserved: 2021-01-08T00:00:00

Link: CVE-2021-23418

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-07-29T18:15:07.727

Modified: 2024-11-21T05:51:43.380

Link: CVE-2021-23418

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "Glances", "vendor": "n/a", "versions": [{"lessThan": "3.2.1", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Unknown"}], "datePublic": "2021-07-29T00:00:00", "descriptions": [{"lang": "en", "value": "The package glances before 3.2.1 are vulnerable to XML External Entity (XXE) Injection via the use of Fault to parse untrusted XML data, which is known to be vulnerable to XML attacks."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"description": "XML External Entity (XXE) Injection", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-07-29T17:50:12", "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://snyk.io/vuln/SNYK-PYTHON-GLANCES-1311807"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/nicolargo/glances/commit/4b87e979afdc06d98ed1b48da31e69eaa3a9fb94"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/nicolargo/glances/commit/85d5a6b4af31fcf785d5a61086cbbd166b40b07a"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/nicolargo/glances/issues/1025"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/nicolargo/glances/commit/9d6051be4a42f692392049fdbfc85d5dfa458b32"}], "title": "XML External Entity (XXE) Injection", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "report@snyk.io", "DATE_PUBLIC": "2021-07-29T17:45:15.560277Z", "ID": "CVE-2021-23418", "STATE": "PUBLIC", "TITLE": "XML External Entity (XXE) Injection"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Glances", "version": {"version_data": [{"version_affected": "<", "version_value": "3.2.1"}]}}]}, "vendor_name": "n/a"}]}}, "credit": [{"lang": "eng", "value": "Unknown"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The package glances before 3.2.1 are vulnerable to XML External Entity (XXE) Injection via the use of Fault to parse untrusted XML data, which is known to be vulnerable to XML attacks."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "XML External Entity (XXE) Injection"}]}]}, "references": {"reference_data": [{"name": "https://snyk.io/vuln/SNYK-PYTHON-GLANCES-1311807", "refsource": "MISC", "url": "https://snyk.io/vuln/SNYK-PYTHON-GLANCES-1311807"}, {"name": "https://github.com/nicolargo/glances/commit/4b87e979afdc06d98ed1b48da31e69eaa3a9fb94", "refsource": "MISC", "url": "https://github.com/nicolargo/glances/commit/4b87e979afdc06d98ed1b48da31e69eaa3a9fb94"}, {"name": "https://github.com/nicolargo/glances/commit/85d5a6b4af31fcf785d5a61086cbbd166b40b07a", "refsource": "MISC", "url": "https://github.com/nicolargo/glances/commit/85d5a6b4af31fcf785d5a61086cbbd166b40b07a"}, {"name": "https://github.com/nicolargo/glances/issues/1025", "refsource": "MISC", "url": "https://github.com/nicolargo/glances/issues/1025"}, {"name": "https://github.com/nicolargo/glances/commit/9d6051be4a42f692392049fdbfc85d5dfa458b32", "refsource": "MISC", "url": "https://github.com/nicolargo/glances/commit/9d6051be4a42f692392049fdbfc85d5dfa458b32"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T19:05:55.976Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://snyk.io/vuln/SNYK-PYTHON-GLANCES-1311807"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/nicolargo/glances/commit/4b87e979afdc06d98ed1b48da31e69eaa3a9fb94"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/nicolargo/glances/commit/85d5a6b4af31fcf785d5a61086cbbd166b40b07a"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/nicolargo/glances/issues/1025"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/nicolargo/glances/commit/9d6051be4a42f692392049fdbfc85d5dfa458b32"}]}]}, "cveMetadata": {"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "assignerShortName": "snyk", "cveId": "CVE-2021-23418", "datePublished": "2021-07-29T17:50:12.851255Z", "dateReserved": "2021-01-08T00:00:00", "dateUpdated": "2024-09-16T17:38:39.943Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:glances_project:glances:*:*:*:*:*:*:*:*", "matchCriteriaId": "705B1A67-A5F2-4E29-A99F-E66751399BB0", "versionEndExcluding": "3.2.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The package glances before 3.2.1 are vulnerable to XML External Entity (XXE) Injection via the use of Fault to parse untrusted XML data, which is known to be vulnerable to XML attacks."}, {"lang": "es", "value": "Los paquetes anteriores a la versi\u00f3n 3.2.1 son vulnerables a la Inyecci\u00f3n de Entidades Externas XML (XXE) a trav\u00e9s del uso de Fault para analizar datos XML que no son de confianza, y que se sabe que son vulnerables a ataques XML"}], "id": "CVE-2021-23418", "lastModified": "2024-11-21T05:51:43.380", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "report@snyk.io", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-07-29T18:15:07.727", "references": [{"source": "report@snyk.io", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/nicolargo/glances/commit/4b87e979afdc06d98ed1b48da31e69eaa3a9fb94"}, {"source": "report@snyk.io", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/nicolargo/glances/commit/85d5a6b4af31fcf785d5a61086cbbd166b40b07a"}, {"source": "report@snyk.io", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/nicolargo/glances/commit/9d6051be4a42f692392049fdbfc85d5dfa458b32"}, {"source": "report@snyk.io", "tags": ["Exploit", "Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://github.com/nicolargo/glances/issues/1025"}, {"source": "report@snyk.io", "tags": ["Patch", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-PYTHON-GLANCES-1311807"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/nicolargo/glances/commit/4b87e979afdc06d98ed1b48da31e69eaa3a9fb94"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/nicolargo/glances/commit/85d5a6b4af31fcf785d5a61086cbbd166b40b07a"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/nicolargo/glances/commit/9d6051be4a42f692392049fdbfc85d5dfa458b32"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://github.com/nicolargo/glances/issues/1025"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-PYTHON-GLANCES-1311807"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-611"}], "source": "nvd@nist.gov", "type": "Primary"}]}