PT-2021-6838 · Glance+3 · Glance+3

Unknown

Published

2021-07-29

Updated

2022-07-25

CVE-2021-23418

CVSS v2.0

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions glances versions prior to 3.2.1

Description The issue is related to the incorrect restriction of XML links to external objects, which can be exploited by a remote attacker to gain access to confidential data, disrupt its integrity, and cause a denial of service. The vulnerability is due to the use of Fault to parse untrusted XML data, making it susceptible to XML External Entity (XXE) Injection attacks.

Recommendations For glances versions prior to 3.2.1, update to version 3.2.1 or later to resolve the issue. As a temporary workaround, consider restricting the use of the Fault component to parse untrusted XML data until a patch is available. Avoid using the Fault function to parse untrusted XML data in the affected API endpoints until the issue is resolved.

Exploit

Fix

XXE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-611

Related Identifiers

ALT-PU-2021-2545

ALT-PU-2021-3612

ALT-PU-2022-2255

BDU:2022-02263

CVE-2021-23418

GHSA-R2MJ-8WGQ-73M6

PYSEC-2021-115

SNYK-PYTHON-GLANCES-1311807

USN-5187-1

Affected Products

Alt Linux

Linuxmint

Ubuntu

Glance

PT-2021-6838 · Glance+3 · Glance+3

CVE-2021-23418

Weakness Enumeration

Related Identifiers

Affected Products

References · 24