CVE-2023-27476 – owslib

Package

Manager: pip
Name: owslib
Vulnerable Version: >=0 <0.28.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00123 pctl0.32138

Details

OWSLib vulnerable to XML External Entity (XXE) Injection ### Impact OWSLib's XML parser (which supports both `lxml` and `xml.etree`) does not disable entity resolution for `lxml`, and could lead to arbitrary file reads from an attacker-controlled XML payload. This affects all XML parsing in the codebase. ### Patches - Use only lxml for XML handling, adding `resolve_entities=False` to `lxml`'s parser: https://github.com/geopython/OWSLib/pull/863 ### Workarounds ```python patch_well_known_namespaces(etree) etree.set_default_parser( parser=etree.XMLParser(resolve_entities=False) ) ``` ### References - [`GHSL-2022-131`](https://securitylab.github.com/advisories/GHSL-2022-131_OWSLib/)

Metadata

Created: 2023-03-07T20:41:36Z
Modified: 2024-10-07T21:17:55Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-8h9c-r582-mggc/GHSA-8h9c-r582-mggc.json
CWE IDs: ["CWE-611"]
Alternative ID: GHSA-8h9c-r582-mggc
Finding: F083
Auto approve: 1