CVE-2020-27197 – This CVE describes a Server-Side Request Forger... (How to Fix)

Q: What is the severity of CVE-2020-27197?

CVE-2020-27197 has a CVSS score of 9.8 (CRITICAL). This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in libtaxii and OpenTAXII that allows attackers to make arbitrary HTTP requests from the vulnerable server. The vulnerability bypasses network restrictions by using an initial 'http://' substring, potentially exposing internal services. Affected users include those running vulnerable versions of libtaxii, OpenTAXII, or other products using these libraries.

📋 TL;DR

This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in libtaxii and OpenTAXII that allows attackers to make arbitrary HTTP requests from the vulnerable server. The vulnerability bypasses network restrictions by using an initial 'http://' substring, potentially exposing internal services. Affected users include those running vulnerable versions of libtaxii, OpenTAXII, or other products using these libraries.

💻 Affected Systems

Products:

libtaxii
OpenTAXII
Other products using libtaxii

Versions: libtaxii through 1.1.117, OpenTAXII through 0.2.0

Operating Systems: All platforms running affected software

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerable even when no_network setting is used for XML parser. The vendor notes this may be an lxml library issue.

📦 What is this software?

Libtaxii by Libtaxii Project

View all CVEs affecting Libtaxii →

Opentaxii by Eclecticiq

View all CVEs affecting Opentaxii →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could access internal services, exfiltrate sensitive data, or pivot to other systems within the network, potentially leading to full network compromise.

🟠

Likely Case

Attackers scan internal networks, access metadata services, or interact with internal APIs to gather information about the infrastructure.

🟢

If Mitigated

With proper network segmentation and egress filtering, impact is limited to information disclosure about accessible internal services.

🌐 Internet-Facing: HIGH - Internet-facing instances can be directly exploited by external attackers without authentication.

🏢 Internal Only: MEDIUM - Internal instances could be exploited by compromised internal hosts or malicious insiders.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details published on Packet Storm Security. Simple SSRF technique using http:// substring bypass.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check upstream repositories for fixes

Vendor Advisory: https://github.com/TAXIIProject/libtaxii/issues/246

Restart Required: Yes

Instructions:

1. Update libtaxii to patched version. 2. Update OpenTAXII or other dependent software. 3. Restart affected services. 4. Verify fix implementation.

🔧 Temporary Workarounds

Network Restriction

all

Implement strict egress filtering and network segmentation to limit outbound connections from vulnerable servers

Input Validation

all

Add input validation to reject URLs containing http:// substrings before processing

🧯 If You Can't Patch

Isolate vulnerable systems in restricted network segments with no internet or internal service access
Implement web application firewall rules to block SSRF patterns and monitor for exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check installed libtaxii version: pip show libtaxii or check package version in Python environment

Check Version:

python -c "import libtaxii; print(libtaxii.__version__)"

Verify Fix Applied:

Test with SSRF payloads containing http:// substrings to confirm they are blocked

📡 Detection & Monitoring

Log Indicators:

Unusual outbound HTTP requests from TAXII servers
Requests to internal IP addresses or metadata services

Network Indicators:

HTTP traffic from TAXII servers to unexpected destinations
Patterns matching SSRF exploitation

SIEM Query:

source="taxii-server" AND (dest_ip=169.254.169.254 OR dest_ip=10.* OR dest_ip=192.168.* OR dest_ip=172.16.*)

📊 Metadata

CVE ID: CVE-2020-27197

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-918

Published: October 17, 2020

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/159662/Libtaxii-1.1.117-OpenTaxi-0.2.0-Server-Side-Request-Forgery.html Exploit,Third Party Advisory
https://github.com/TAXIIProject/libtaxii/issues/246 Exploit,Third Party Advisory
https://github.com/eclecticiq/OpenTAXII/issues/176 Exploit,Third Party Advisory
http://packetstormsecurity.com/files/159662/Libtaxii-1.1.117-OpenTaxi-0.2.0-Server-Side-Request-Forgery.html Exploit,Third Party Advisory
https://github.com/TAXIIProject/libtaxii/issues/246 Exploit,Third Party Advisory
https://github.com/eclecticiq/OpenTAXII/issues/176 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-27197, you might also want to check these: