Arbitrary Code Injection

Affecting aioxmpp package, versions [,0.10.3)

Do your applications use this vulnerable package? Test your applications

Overview

aioxmpp is a pure-python XMPP library using the asyncio standard library module from Python 3.4.

Affected versions of this package are vulnerable to Arbitrary Code Injection due to an improper handling of structural elements in Stanza parser. A crafted stanza could be sent to an application which uses the vulnerable components to either inject data in a different context or cause the application to reconnect.

Remediation

Upgrade aioxmpp to version 0.10.3 or higher.

References

CVSS Score

7.3
high severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    Low
  • Availability
    Low
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Credit
horazont
CVE
CVE-2019-1000007
CWE
CWE-94
Snyk ID
SNYK-PYTHON-AIOXMPP-73648
Disclosed
10 Jan, 2019
Published
05 Feb, 2019