CVE-2023-27476

2023-03-0800:15:08

CWE-611

[email protected]

web.nvd.nist.gov

owslib

python

ogc

web service

xml parser

vulnerability

cve-2023-27476

fix

upgrade

ghsa-8h9c-r582-mggc

8.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L

7.3 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

51.0%

JSON

OWSLib is a Python package for client programming with Open Geospatial Consortium (OGC) web service interface standards, and their related content models. OWSLib’s XML parser (which supports both lxml and xml.etree) does not disable entity resolution, and could lead to arbitrary file reads from an attacker-controlled XML payload. This affects all XML parsing in the codebase. This issue has been addressed in version 0.28.1. All users are advised to upgrade. The only known workaround is to patch the library manually. See GHSA-8h9c-r582-mggc for details.

Affected configurations

Vulners

NVD

Node

geopythonowslibRange<0.28.1

CPENameOperatorVersion
osgeo:owslibosgeo owsliblt0.28.1

CPE	Name	Operator	Version
osgeo:owslib	osgeo owslib	lt	0.28.1

CNA Affected

[
  {
    "vendor": "geopython",
    "product": "OWSLib",
    "versions": [
      {
        "version": "< 0.28.1",
        "status": "affected"
      }
    ]
  }
]