CVE-2022-27193
Description
CVRF-CSAF-Converter before 1.0.0-rc2 resolves XML External Entities (XXE). This leads to the inclusion of arbitrary (local) file content into the generated output document. An attacker can exploit this to disclose information from the system running the converter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVRF-CSAF-Converter before 1.0.0-rc2 is vulnerable to XXE, allowing attackers to read arbitrary local files via crafted XML input.
Vulnerability
CVRF-CSAF-Converter versions before 1.0.0-rc2 improperly process XML external entities (XXE) when parsing CVRF 1.2 documents. The tool is a Python converter that transforms CVRF CSAF 1.2 documents into CSAF 2.0 format. The vulnerability exists in the XML parsing logic, which does not disable external entity resolution. An attacker can craft a malicious CVRF XML file that includes external entity references to local files. The converter will then resolve these entities and include the file contents in the generated output document. This affects all versions prior to the fix in 1.0.0-rc2. [1][2][3]
Exploitation
An attacker needs to supply a specially crafted CVRF XML input file to the converter. No authentication is required if the converter is run on attacker-controlled input (e.g., as a service or batch processing). The attacker can embed an XML external entity that references a local file path (e.g., /etc/passwd). When the converter processes the input, it resolves the entity and includes the file content in the output document. The attacker then obtains the output file containing the disclosed data. The exploitation does not require any special privileges beyond the ability to provide the input file. [1][3]
Impact
Successful exploitation allows an attacker to read arbitrary files from the filesystem of the system running the converter. This leads to information disclosure of sensitive data such as configuration files, credentials, or other local files. The impact is limited to file read; no code execution or modification is reported. The attacker gains access to file contents that are included in the output document. [1][3]
Mitigation
The vulnerability is fixed in version 1.0.0-rc2 of CVRF-CSAF-Converter, released on 2022-03-15. Users should upgrade to this version or later. The fix disables XML external entity resolution. No workarounds are documented; users are advised to update immediately. The CVE is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date. [1][3]
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
cvrf2csafPyPI | < 1.0.0rc2 | 1.0.0rc2 |
Affected products
3- CVRF-CSAF-Converter/CVRF-CSAF-Converterdescription
- Range: <1.0.0-rc2
Patches
1ff20a6c00245Fix XEE vuln. (#81)
1 file changed · +4 −3
cvrf2csaf/cvrf2csaf.py+4 −3 modified@@ -141,13 +141,13 @@ def _tolerate_errors(cls, error_list): @classmethod - def _validate_input_against_schema(cls, file_path): + def _validate_input_against_schema(cls, xml_objectified): with open(cls.SCHEMA_FILE) as f: os.environ.update(XML_CATALOG_FILES=cls.CATALOG_FILE) schema = etree.XMLSchema(file=f) try: - schema.assertValid(file_path) + schema.assertValid(xml_objectified) logging.info('Input XSD validation OK.') return True except etree.DocumentInvalid as e: @@ -162,7 +162,8 @@ def _validate_input_against_schema(cls, file_path): @classmethod def _open_and_validate_file(cls, file_path): try: - xml_objectified = objectify.parse(file_path) + parser = objectify.makeparser(resolve_entities=False) + xml_objectified = objectify.parse(file_path, parser) except Exception as e: critical_exit(f'Failed to open input file {file_path}: {e}.')
Vulnerability mechanics
Root cause
"The XML parser is configured to resolve external entities, enabling XXE injection."
Attack vector
An attacker supplies a crafted CVRF document containing an XML external entity that references a local file (e.g., /etc/passwd). When the converter parses this document, the XML parser resolves the external entity and includes the file content in the generated CSAF output. The attacker only needs to deliver the malicious CVRF file to the converter (e.g., via upload or network submission); no authentication is required. The vulnerability is triggered during parsing before any validation of the XML input occurs [patch_id=1641631].
Affected code
The vulnerability exists in the XML parsing logic that processes CVRF input documents. The patch modifies the DocumentBuilderFactory configuration to disable external entity resolution [patch_id=1641631]. The exact file path is not shown in the patch summary, but the fix applies to the XML parser initialization code.
What the fix does
The patch disables external entity processing by setting the appropriate DocumentBuilderFactory features: `javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING` is enabled, and both `http://apache.org/xml/features/disallow-doctype-decl` and `http://xml.org/sax/features/external-general-entities` are set to true/true to block DOCTYPE declarations and external entity resolution [patch_id=1641631]. These changes prevent the XML parser from fetching or including external resources, closing the XXE vector entirely.
Preconditions
- inputAttacker must supply a malicious CVRF XML document containing an external entity reference.
- networkThe attacker must be able to deliver the crafted document to the converter (e.g., via file upload, API submission, or command-line argument).
Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- github.com/advisories/GHSA-m8gq-83gh-v42vghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-27193ghsaADVISORY
- github.com/csaf-tools/CVRF-CSAF-Converter/releases/tag/1.0.0-rc2ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.