NSA GRASSMARLIN
Summary
A vulnerability in NSA GRASSMARLIN, specifically related to Improper Restriction of XML External Entity Reference, allows for the disclosure of sensitive information. The affected product, GRASSMARLIN, is no longer supported by the vendor as it reached end-of-life in 2017.
IFF Assessment
The vulnerability allows for the disclosure of sensitive information, which is a negative outcome for defenders.
Severity
The CVSS score of 5.5 (MEDIUM) is assigned due to the Local Attack Vector (AV:L), Low Attack Complexity (AC:L), Low Privileges Required (PR:L), No User Interaction (UI:N), Scope Unchanged (S:U), and High Confidentiality Impact (C:H). This indicates a moderate risk that could lead to significant information disclosure.
Defender Context
This vulnerability highlights the risks associated with using unsupported software, especially in critical infrastructure sectors like Information Technology. Defenders should prioritize identifying and migrating away from end-of-life products to mitigate the risk of exploitation, as no patches will be provided.