CVE-2020-15232 — XXE attack in Mapfish Print

Description

### Impact A user can do to an XML External Entity (XXE) attack with the provided SDL style. ### Patches Use version >= 3.24 ### Workarounds No ### References * https://cwe.mitre.org/data/definitions/611.html * https://github.com/mapfish/mapfish-print/pull/1397/commits/e1d0527d13db06b2b62ca7d6afb9e97dacd67a0e ### For more information If you have any questions or comments about this advisory Comment the pull request: https://github.com/mapfish/mapfish-print/pull/1397

How to fix CVE-2020-15232

To remediate CVE-2020-15232, upgrade the affected package to a fixed version below.

—upgrade to 3.24 or later
—upgrade to 3.24 or later
—upgrade to 3.24 or later

Is CVE-2020-15232 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

>= 3.0, < 3.24
>= 3.0, < 3.24
>= 3.0, < 3.24

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-15232
PATCHgithub.com/mapfish/mapfish-print
WEBgithub.com/mapfish/mapfish-print/pull/1397
WEBgithub.com/mapfish/mapfish-print/pull/1397/commits/e1d0527d13db06b2b62ca7d6afb9e97dacd67a0e