6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.007 Low
EPSS
Percentile
80.2%
Information Disclosure
petl is a Python library that provides functions for extraction, transformation, and loading (ETL) of data.
petl before 1.68, in some configurations, allows resolution of entities in XML input.
An attacker who is able to submit XML input to an application using petl can disclose arbitrary files on the file system in the context of the user under which the application is running.
Applications that:
Update to petl >= 1.68
If you have any questions or comments about this advisory:
Thaks to Naveen Sunkavally.
github.com/advisories/GHSA-f5gc-p5m3-v347
github.com/petl-developers/petl/pull/527
github.com/petl-developers/petl/releases/tag/v1.6.8
github.com/petl-developers/petl/security/advisories/GHSA-f5gc-p5m3-v347
owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing
petl.readthedocs.io/en/stable/changes.html
6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.007 Low
EPSS
Percentile
80.2%