Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWY1Z2MtcDVtMy12MzQ3

XXE in petl

Impact

Information Disclosure

Summary

petl is a Python library that provides functions for extraction, transformation, and loading (ETL) of data.

petl before 1.68, in some configurations, allows resolution of entities in XML input.

An attacker who is able to submit XML input to an application using petl can disclose arbitrary files on the file system in the context of the user under which the application is running.

Affected Applications

Applications that:

Mitigation

Update to petl >= 1.68

Workarounds

References

For more information

If you have any questions or comments about this advisory:

Thaks to Naveen Sunkavally.

Permalink: https://github.com/advisories/GHSA-f5gc-p5m3-v347
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWY1Z2MtcDVtMy12MzQ3
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: over 3 years ago
Updated: over 1 year ago


Identifiers: GHSA-f5gc-p5m3-v347
References: Repository: https://github.com/petl-developers/petl
Blast Radius: 0.0

Affected Packages

pypi:petl
Dependent packages: 14
Dependent repositories: 302
Downloads: 813,291 last month
Affected Version Ranges: < 1.6.8
Fixed in: 1.6.8
All affected versions: 0.10.1, 0.10.2, 0.11.1, 0.13.1, 0.16.1, 0.16.2, 0.17.1, 0.18.1, 0.21.2, 0.22.1, 0.24.1, 0.24.2, 0.24.3, 0.25.1, 0.25.2, 0.25.3, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.0.10, 1.0.11, 1.1.0, 1.1.1, 1.2.0, 1.3.0, 1.4.0, 1.5.0, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.6.5, 1.6.6, 1.6.7
All unaffected versions: 1.6.8, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.7.4, 1.7.5, 1.7.6, 1.7.7, 1.7.8, 1.7.9, 1.7.10, 1.7.11, 1.7.12, 1.7.13, 1.7.14, 1.7.15