Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1mODNxLTJjcDctcXJqZ84AAt2b
untangle vulnerable to Improper Restriction of XML External Entity Reference
Description
untangle is a python library to convert XML data to python objects. untangle versions 1.2.0 and earlier improperly restricts XML external entity references. By exploiting this vulnerability, a remote unauthenticated attacker may read the contents of local files.
Impact
An attacker may be able to read the contents of local files. This affects untangle versions up to and including 1.2.0
Patches
The problem has been fixed with version 1.2.1
Workarounds
None
References
https://jvn.jp/en/jp/JVN30454777/
For more information
If you have any questions or comments about this advisory:
- Open an issue
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1mODNxLTJjcDctcXJqZ84AAt2b
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 1 year ago
Updated: 9 months ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-f83q-2cp7-qrjg, CVE-2022-31471
References:
- https://github.com/stchris/untangle/security/advisories/GHSA-f83q-2cp7-qrjg
- https://nvd.nist.gov/vuln/detail/CVE-2022-31471
- https://github.com/pypa/advisory-database/tree/main/vulns/untangle/PYSEC-2022-244.yaml
- https://github.com/stchris/untangle
- https://github.com/stchris/untangle/releases/tag/1.2.1
- https://jvn.jp/en/jp/JVN30454777/
- https://github.com/advisories/GHSA-f83q-2cp7-qrjg
Blast Radius: 18.4
Affected Packages
pypi:untangle
Dependent packages: 11Dependent repositories: 285
Downloads: 150,369 last month
Affected Version Ranges: < 1.2.1
Fixed in: 1.2.1
All affected versions: 0.3.1, 0.4.0, 1.0.0, 1.1.0, 1.1.1, 1.2.0
All unaffected versions: 1.2.1