0Wa1

**Name of the Vulnerable Software and Affected Versions** TAXII libtaxii versions 1.1.117 and earlier EclecticIQ OpenTAXII versions 0.2.0 and earlier **Description** The issue allows SSRF via an initial http:// substring to the `parse` method, even when the `no network` setting is used for the XML parser. The vendor notes that the `parse` method wraps the `lxml` library and this may be an issue to raise to the `lxml` group. **Recommendations** For TAXII libtaxii versions 1.1.117 and earlier, consider disabling the `parse` method until a patch is available. For EclecticIQ OpenTAXII versions 0.2.0 and earlier, restrict access to the `parse` method to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.