CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L
EPSS
Percentile
56.1%
OWSLib’s XML parser (which supports both lxml
and xml.etree
) does not disable entity resolution for lxml
, and could lead to arbitrary file reads from an attacker-controlled XML payload. This affects all XML parsing in the codebase.
resolve_entities=False
to lxml
’s parser: https://github.com/geopython/OWSLib/pull/863patch_well_known_namespaces(etree)
etree.set_default_parser(
parser=etree.XMLParser(resolve_entities=False)
)
github.com/geopython/OWSLib
github.com/geopython/OWSLib/pull/863
github.com/geopython/OWSLib/pull/863/commits/b92687702be9576c0681bb11cad21eb631b9122f
github.com/geopython/OWSLib/releases/tag/0.28.1
github.com/geopython/OWSLib/security/advisories/GHSA-8h9c-r582-mggc
github.com/pypa/advisory-database/tree/main/vulns/owslib/PYSEC-2023-86.yaml
lists.debian.org/debian-lts-announce/2023/06/msg00032.html
nvd.nist.gov/vuln/detail/CVE-2023-27476
securitylab.github.com/advisories/GHSL-2022-131_owslib
www.debian.org/security/2023/dsa-5426