Name of the Vulnerable Software and Affected Versions xml2rfc versions 3.12.0 through 3.26.0

Description The issue concerns XML External Entity (XXE) injection attacks. It was discovered that xml2rfc does not respect the --allow-local-file-access flag when a local file is specified as src in artwork or sourcecode elements. Furthermore, XML entity references can include any file inside the source directory and below without using the --allow-local-file-access flag. This affects anyone running xml2rfc as a service that accepts input from external users. Specifying a file in the src attribute in artwork or sourcecode elements will cause the contents of that file to appear in xml2rfc’s output results, but only if the file is inside the same directory as the XML input source file.

Recommendations For xml2rfc versions 3.12.0 through 3.26.0, use a secure temporary directory to process un-trusted XML files, and do not reuse it for processing other XML documents. As a temporary workaround, consider restricting access to the artwork src and sourcecode src attributes until a patch is available. Restrict access to XML entity references to minimize the risk of exploitation.