GHSA-8h9c-r582-mggc

Source

https://github.com/advisories/GHSA-8h9c-r582-mggc

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-8h9c-r582-mggc/GHSA-8h9c-r582-mggc.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-8h9c-r582-mggc

Aliases

CVE-2023-27476

Published

2023-03-07T20:41:36Z

Modified

2024-10-07T21:25:09.736719Z

Severity

8.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L CVSS Calculator
8.8 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N CVSS Calculator

Summary

OWSLib vulnerable to XML External Entity (XXE) Injection

Details

Impact

OWSLib's XML parser (which supports both lxml and xml.etree) does not disable entity resolution for lxml, and could lead to arbitrary file reads from an attacker-controlled XML payload. This affects all XML parsing in the codebase.

Patches

Use only lxml for XML handling, adding resolve_entities=False to lxml's parser: https://github.com/geopython/OWSLib/pull/863

Workarounds

patch_well_known_namespaces(etree)
etree.set_default_parser(
    parser=etree.XMLParser(resolve_entities=False)
)

References

GHSL-2022-131

References

Affected packages

PyPI / owslib

Package

Name: owslib; View open source insights on deps.dev
Purl: pkg:pypi/owslib

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.28.1

Affected versions

0.*

0.1.0

0.2.0

0.2.1

0.3

0.3.1

0.4.0

0.5.0

0.5.1

0.6.0

0.6.1

0.7.0

0.7.1

0.7.2

0.8.0

0.8.1

0.8.2

0.8.3

0.8.4

0.8.5

0.8.6

0.8.7

0.8.8

0.8.9

0.8.10

0.8.11

0.8.12

0.8.13

0.9.0

0.9.1

0.9.2

0.10.0

0.10.1

0.10.2

0.10.3

0.11.0

0.11.1

0.11.2

0.12.0

0.13.0

0.14.0

0.15.0

0.16.0

0.17.0

0.17.1

0.18.0

0.19.0

0.19.1

0.19.2

0.20.0

0.21.0

0.22.0

0.23.0

0.24.0

0.24.1

0.25.0

0.26.0

0.27.0

0.27.1

0.27.2

0.28.0