8.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L
0.001 Low
EPSS
Percentile
51.0%
OWSLib is a Python package for client programming with Open Geospatial
Consortium (OGC) web service interface standards, and their related content
models. OWSLib’s XML parser (which supports both lxml
and xml.etree
)
does not disable entity resolution, and could lead to arbitrary file reads
from an attacker-controlled XML payload. This affects all XML parsing in
the codebase. This issue has been addressed in version 0.28.1. All users
are advised to upgrade. The only known workaround is to patch the library
manually. See GHSA-8h9c-r582-mggc
for details.
github.com/geopython/OWSLib/pull/863/commits/b92687702be9576c0681bb11cad21eb631b9122f
github.com/geopython/OWSLib/security/advisories/GHSA-8h9c-r582-mggc
launchpad.net/bugs/cve/CVE-2023-27476
nvd.nist.gov/vuln/detail/CVE-2023-27476
security-tracker.debian.org/tracker/CVE-2023-27476
securitylab.github.com/advisories/GHSL-2022-131_owslib/
www.cve.org/CVERecord?id=CVE-2023-27476