DescriptionOCS Inventory 2.4.1 lacks a proper XML parsing configuration, allowing the use of external entities. This issue can be exploited by an attacker sending a crafted HTTP request in order to exfiltrate information or cause a Denial of Service.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs905396

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ocsinventory-server (PTS)buster2.5+dfsg1-1fixed
buster (security)2.5+dfsg1-1+deb10u1fixed
sid, trixie, bookworm2.8.1+dfsg1+~2.11.1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs


Authentication is needed, only supported in trusted environments, see debtags

Search for package or bug name: Reporting problems