GHSA-7r9x-qrpr-3cxw – mofh

Package

Manager: pip
Name: mofh
Vulnerable Version: >=0 <1.0.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

mofh Vulnerable to Improper Restriction of XML External Entity Reference The `xml.etree.ElementTree` module that mofh used up until version `1.0.1` implements a simple and efficient API for parsing and creating XML data. But it makes the application vulnerable to: - [Billion Laughs attack](https://en.wikipedia.org/wiki/Billion_laughs_attack): It is a type of denial-of-service attack aimed at XML parsers. It uses multiple levels of nested entities. If one large entity is repeated with a couple of thousand chars repeatedly, the parser gets overwhelmed. - [Quadratic blowup attack](https://www.acunetix.com/vulnerabilities/web/xml-quadratic-blowup-denial-of-service-attack/): It is similar to a Billion Laughs attack. It abuses entity expansion, too. Instead of nested entities, it repeats one large entity with a couple of thousand chars repeatedly. The Problem has been patched starting from version `1.0.1` by utilising the `defusedxml` package instead of `xml.etree.ElementTree`. ### Workarounds For this vulnerability to be exploited the user must be using a custom API URL, which has to be manually given using the `api_url` argument, or MyOwnFreeHost's API must be hacked. So, if the user did not use a custom API URL they _should_ be fine, however, upgrading is still advised. Another workaround could be to call `defusedxml.defuse_stdlib()` before making any requests using the client.

Metadata

Created: 2022-08-11T18:06:05Z
Modified: 2022-08-11T18:06:05Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/08/GHSA-7r9x-qrpr-3cxw/GHSA-7r9x-qrpr-3cxw.json
CWE IDs: ["CWE-611"]
Alternative ID: N/A
Finding: F083
Auto approve: 1