Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS04aDljLXI1ODItbWdnY84AAx-f

OWSLib vulnerable to XML External Entity (XXE) Injection

Impact

OWSLib's XML parser (which supports both lxml and xml.etree) does not disable entity resolution for lxml, and could lead to arbitrary file reads from an attacker-controlled XML payload. This affects all XML parsing in the codebase.

Patches

Use only lxml for XML handling, adding resolve_entities=False to lxml's parser: https://github.com/geopython/OWSLib/pull/863

Workarounds

patch_well_known_namespaces(etree)
etree.set_default_parser(
    parser=etree.XMLParser(resolve_entities=False)
)

References

GHSL-2022-131

Permalink: https://github.com/advisories/GHSA-8h9c-r582-mggc
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04aDljLXI1ODItbWdnY84AAx-f
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 1 year ago
Updated: 11 months ago

CVSS Score: 8.2
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L

Identifiers: GHSA-8h9c-r582-mggc, CVE-2023-27476
References:

Repository: https://github.com/geopython/OWSLib
Blast Radius: 18.4

Affected Packages

pypi:OWSLib

Dependent packages: 50
Dependent repositories: 175
Downloads: 77,927 last month
Affected Version Ranges: < 0.28.1
Fixed in: 0.28.1
All affected versions: 0.1.0, 0.2.0, 0.2.1, 0.3.1, 0.4.0, 0.5.0, 0.5.1, 0.6.0, 0.6.1, 0.7.0, 0.7.1, 0.7.2, 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.8.4, 0.8.5, 0.8.6, 0.8.7, 0.8.8, 0.8.9, 0.8.10, 0.8.11, 0.8.12, 0.8.13, 0.9.0, 0.9.1, 0.9.2, 0.10.0, 0.10.1, 0.10.2, 0.10.3, 0.11.0, 0.11.1, 0.11.2, 0.12.0, 0.13.0, 0.14.0, 0.15.0, 0.16.0, 0.17.0, 0.17.1, 0.18.0, 0.19.0, 0.19.1, 0.19.2, 0.20.0, 0.21.0, 0.22.0, 0.23.0, 0.24.0, 0.24.1, 0.25.0, 0.26.0, 0.27.0, 0.27.1, 0.27.2, 0.28.0
All unaffected versions: 0.28.1, 0.29.0, 0.29.1, 0.29.2, 0.29.3, 0.30.0, 0.31.0