CVE Vulnerabilities

CVE-2023-20052

Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

Published: Mar 01, 2023 | Modified: Jan 25, 2024
CVSS 3.x
5.3
MEDIUM
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVSS 2.x
RedHat/V2
RedHat/V3
Ubuntu
MEDIUM

On Feb 15, 2023, the following vulnerability in the ClamAV scanning library was disclosed: A vulnerability in the DMG file parser of ClamAV versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier could allow an unauthenticated, remote attacker to access sensitive information on an affected device. This vulnerability is due to enabling XML entity substitution that may result in XML external entity injection. An attacker could exploit this vulnerability by submitting a crafted DMG file to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to leak bytes from any file that may be read by the ClamAV scanning process.

Weakness

The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.

Affected Software

Name Vendor Start Version End Version
Secure_endpoint Cisco * 1.20.2 (excluding)
Secure_endpoint Cisco * 1.21.1 (excluding)
Secure_endpoint Cisco * 7.5.9 (excluding)
Secure_endpoint Cisco 8.0.1.21160 (including) 8.1.5 (excluding)
Secure_endpoint_private_cloud Cisco * 3.6.0 (excluding)
Clamav Ubuntu bionic *
Clamav Ubuntu devel *
Clamav Ubuntu esm-infra/xenial *
Clamav Ubuntu focal *
Clamav Ubuntu jammy *
Clamav Ubuntu kinetic *
Clamav Ubuntu lunar *
Clamav Ubuntu trusty *
Clamav Ubuntu trusty/esm *
Clamav Ubuntu xenial *

Potential Mitigations

References