GHSA-8h9c-r582-mggc

Suggest an improvement
Source
https://github.com/advisories/GHSA-8h9c-r582-mggc
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-8h9c-r582-mggc/GHSA-8h9c-r582-mggc.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-8h9c-r582-mggc
Aliases
Published
2023-03-07T20:41:36Z
Modified
2024-10-07T21:23:37.461279Z
Severity
  • 8.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L CVSS Calculator
  • 8.8 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N CVSS Calculator
Summary
OWSLib vulnerable to XML External Entity (XXE) Injection
Details

Impact

OWSLib's XML parser (which supports both lxml and xml.etree) does not disable entity resolution for lxml, and could lead to arbitrary file reads from an attacker-controlled XML payload. This affects all XML parsing in the codebase.

Patches

  • Use only lxml for XML handling, adding resolve_entities=False to lxml's parser: https://github.com/geopython/OWSLib/pull/863

Workarounds

patch_well_known_namespaces(etree)
etree.set_default_parser(
    parser=etree.XMLParser(resolve_entities=False)
)

References

Database specific
{
    "nvd_published_at": "2023-03-08T00:15:00Z",
    "cwe_ids": [
        "CWE-611"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2023-03-07T20:41:36Z"
}
References

Affected packages

PyPI / owslib

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.28.1

Affected versions

0.*

0.1.0
0.2.0
0.2.1
0.3
0.3.1
0.4.0
0.5.0
0.5.1
0.6.0
0.6.1
0.7.0
0.7.1
0.7.2
0.8.0
0.8.1
0.8.2
0.8.3
0.8.4
0.8.5
0.8.6
0.8.7
0.8.8
0.8.9
0.8.10
0.8.11
0.8.12
0.8.13
0.9.0
0.9.1
0.9.2
0.10.0
0.10.1
0.10.2
0.10.3
0.11.0
0.11.1
0.11.2
0.12.0
0.13.0
0.14.0
0.15.0
0.16.0
0.17.0
0.17.1
0.18.0
0.19.0
0.19.1
0.19.2
0.20.0
0.21.0
0.22.0
0.23.0
0.24.0
0.24.1
0.25.0
0.26.0
0.27.0
0.27.1
0.27.2
0.28.0