प्लेटफ़ॉर्म
python
घटक
feedparser
में ठीक किया गया
5.1.2
CVE-2012-2921 is a denial-of-service (DoS) vulnerability present in Universal Feed Parser (feedparser or python-feedparser) versions up to 5.1.1. An attacker can exploit this flaw by crafting malicious XML documents containing specially crafted XML ENTITY declarations. This can lead to excessive memory consumption on the server, ultimately causing a denial of service. The vulnerability was published in 2018 and a fix is available in version 5.1.2.
The primary impact of CVE-2012-2921 is a denial-of-service condition. An attacker can craft a malicious XML feed that, when parsed by an application using Universal Feed Parser, will consume an excessive amount of memory. This can exhaust server resources, making the application unresponsive and potentially impacting other services running on the same system. The attack is relatively simple to execute, requiring only the creation of a specially crafted XML document. The blast radius depends on the application’s architecture and resource limits; a single vulnerable application could impact the entire server if it consumes all available memory. While no widespread exploitation has been publicly reported, the ease of exploitation makes it a potential target for opportunistic attackers.
CVE-2012-2921 is not currently listed on KEV or EPSS. The vulnerability's age and the availability of a patch suggest a low probability of active exploitation. Public proof-of-concept (POC) code may exist, but there are no confirmed reports of widespread exploitation in the wild. The vulnerability was published by the NVD on 2018-07-24.
एक्सप्लॉइट स्थिति
EPSS
1.26% (79% शतमक)
CVSS वेक्टर
The recommended mitigation for CVE-2012-2921 is to upgrade to Universal Feed Parser version 5.1.2 or later, which contains the fix for this vulnerability. If upgrading is not immediately feasible, consider implementing input validation on XML feeds before parsing them. Specifically, sanitize or reject feeds containing excessively long or complex XML ENTITY declarations. Web application firewalls (WAFs) configured to inspect XML payloads could potentially detect and block malicious feeds. Regularly monitor system resource usage (memory consumption) to detect potential DoS attacks. After upgrading, confirm the fix by attempting to parse a known malicious XML feed (if available) and verifying that memory consumption remains within acceptable limits.
कोई आधिकारिक पैच उपलब्ध नहीं है। वैकल्पिक समाधान खोजें या अपडेट की निगरानी करें।
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2012-2921 is a denial-of-service vulnerability in Universal Feed Parser versions up to 5.1.1. Malicious XML feeds can cause excessive memory consumption, leading to a denial of service.
You are affected if you are using Universal Feed Parser version 5.1.1 or earlier. Check your version using pip show feedparser or by importing the module in Python and printing its version.
Upgrade to Universal Feed Parser version 5.1.2 or later. If upgrading is not possible, implement input validation on XML feeds to sanitize or reject feeds with suspicious ENTITY declarations.
There are no confirmed reports of widespread exploitation in the wild, but the ease of exploitation makes it a potential target. Monitor your system resources for unusual memory consumption.
The official advisory can be found on the Universal Feed Parser project's website and referenced in the NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2012-2921
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
अपनी requirements.txt फ़ाइल अपलोड करें और तुरंत जानें कि आप प्रभावित हैं या नहीं।