Lucene search

Veracode Vulnerability DatabaseVERACODE:44215

HistoryNov 10, 2023 - 12:11 a.m.

XML Eexternal Entity (XXE) Injection

2023-11-1000:11:10

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

xml parsing

gp6 files

gp7 files

data access

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

7.1

Confidence

Low

EPSS

0.005

Percentile

76.6%

JSON

tuxguitar is vulnerable to XML Eexternal Entity (XXE) Injection. An attacker is able to exploit a flaw in the way that TuxGuitar parses XML files to load GP6 and GP7 tablature files. The attacker can then trick a user into opening a specially crafted GP6 or GP7 file, which would cause TuxGuitar to load the file and gain access to data contained within the file.

References

logicaltrust.net/blog/2020/06/tuxguitar.html

security-tracker.debian.org/tracker/CVE-2020-14940

sourceforge.net/p/tuxguitar/bugs/126/

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

7.1

Confidence

Low

EPSS

0.005

Percentile

76.6%

JSON

Related for VERACODE:44215