GHSA-ccgm-3xw4-h5p8

Source

https://github.com/advisories/GHSA-ccgm-3xw4-h5p8

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-ccgm-3xw4-h5p8/GHSA-ccgm-3xw4-h5p8.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-ccgm-3xw4-h5p8

Aliases

Published

2021-04-20T16:30:03Z

Modified

2024-10-09T20:02:28.255117Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

Improper Restriction of XML External Entity Reference in pikepdf

Details

models/metadata.py in the pikepdf package 1.3.0 through 2.9.2 for Python allows XXE when parsing XMP metadata entries.

Database specific

{
    "nvd_published_at": "2021-04-01T20:15:00Z",
    "cwe_ids": [
        "CWE-611"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2021-04-19T21:54:20Z"
}

References

Affected packages

PyPI / pikepdf

Package

Name: pikepdf; View open source insights on deps.dev
Purl: pkg:pypi/pikepdf

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.3.0

Fixed

2.10.0

Affected versions

1.*

1.3.0

1.3.1

1.4.0

1.5.0

1.5.0.post0

1.6.0

1.6.1

1.6.2

1.6.3

1.6.4

1.6.5

1.7.0

1.7.1

1.8.0

1.8.1

1.8.2

1.8.3

1.9.0

1.10.0

1.10.1

1.10.2

1.10.3

1.10.4

1.11.0

1.11.1

1.11.2

1.12.0

1.13.0

1.14.0

1.15.0

1.15.1

1.16.0

1.16.1

1.17.0

1.17.1

1.17.2

1.17.3

1.18.0

1.19.0

1.19.1

1.19.2

1.19.3

1.19.4

2.*

2.0.0b1

2.0.0b2

2.0.0

2.1.0

2.1.1

2.1.2

2.2.0

2.2.1

2.2.2

2.2.3

2.2.4

2.2.5

2.3.0

2.4.0

2.5.0

2.5.1

2.5.2

2.6.0

2.7.0

2.8.0

2.8.0.post1

2.8.0.post2

2.9.0

2.9.1

2.9.2