GHSA-7r9x-qrpr-3cxw
Suggest an improvement- Source
- https://github.com/advisories/GHSA-7r9x-qrpr-3cxw
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/08/GHSA-7r9x-qrpr-3cxw/GHSA-7r9x-qrpr-3cxw.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-7r9x-qrpr-3cxw
- Published
- 2022-08-11T18:06:05Z
- Modified
- 2024-12-03T05:51:58.515666Z
- Summary
- mofh Vulnerable to Improper Restriction of XML External Entity Reference
- Details
-
The
xml.etree.ElementTreemodule that mofh used up until version1.0.1implements a simple and efficient API for parsing and creating XML data. But it makes the application vulnerable to:- Billion Laughs attack: It is a type of denial-of-service attack aimed at XML parsers. It uses multiple levels of nested entities. If one large entity is repeated with a couple of thousand chars repeatedly, the parser gets overwhelmed.
- Quadratic blowup attack: It is similar to a Billion Laughs attack. It abuses entity expansion, too. Instead of nested entities, it repeats one large entity with a couple of thousand chars repeatedly.
The Problem has been patched starting from version
1.0.1by utilising thedefusedxmlpackage instead ofxml.etree.ElementTree.Workarounds
For this vulnerability to be exploited the user must be using a custom API URL, which has to be manually given using the
api_urlargument, or MyOwnFreeHost's API must be hacked. So, if the user did not use a custom API URL they should be fine, however, upgrading is still advised.Another workaround could be to call
defusedxml.defuse_stdlib()before making any requests using the client. - Database specific
{ "nvd_published_at": null, "cwe_ids": [ "CWE-611" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2022-08-11T18:06:05Z" }- References
Affected packages
PyPI / mofh
Package
- Name
- mofh
- View open source insights on deps.dev
- Purl
- pkg:pypi/mofh