PYSEC-2020-59

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/libtaxii/PYSEC-2020-59.yaml

JSON Data

https://api.test.osv.dev/v1/vulns/PYSEC-2020-59

Aliases

Published

2020-10-17T20:15:00Z

Modified

2023-11-01T04:52:49.177041Z

Summary

[none]

Details

* DISPUTED * TAXII libtaxii through 1.1.117, as used in EclecticIQ OpenTAXII through 0.2.0 and other products, allows SSRF via an initial http:// substring to the parse method, even when the no_network setting is used for the XML parser. NOTE: the vendor points out that the parse method "wraps the lxml library" and that this may be an issue to "raise ... to the lxml group."

References

Affected packages

PyPI / libtaxii

Package

Name: libtaxii; View open source insights on deps.dev
Purl: pkg:pypi/libtaxii

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.1.118

Affected versions

1.*

1.0.090

1.0.100

1.0.101

1.0.103

1.0.104

1.0.105

1.0.106

1.0.107

1.1.100

1.1.101

1.1.102

1.1.103

1.1.104

1.1.105

1.1.106

1.1.107

1.1.108

1.1.109

1.1.110

1.1.111

1.1.112

1.1.113

1.1.114

1.1.115

1.1.116

1.1.117