|Description||XML External Entity (XXE) vulnerability in MARC::File::XML module before 1.0.2 for Perl, as used in Evergreen, Koha, perl4lib, and possibly other products, allows context-dependent attackers to read arbitrary files via a crafted XML file.|
|Source||CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)|
|NVD severity||medium (attack range: remote)|
Vulnerable and fixed packages
The table below lists information on source packages.
|buster, sid, jessie, stretch||1.0.3-1||fixed|
The information below is based on the following data on fixed versions.
[wheezy] - libmarc-xml-perl <no-dsa> (Too intrusive to backport)
[squeeze] - libmarc-xml-perl <no-dsa> (Too intrusive to backport)
older versions do not have the ability to set a user custom parser, trying to fix CVE-2014-1626 not clear yet
upstream developer contacted and is looking into it; backport fix might be to intrusive due to change in used Module