logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2020-29128 petl

Package

Manager: pip
Name: petl
Vulnerable Version: >=0 <1.6.8

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

EPSS: 0.01877 pctl0.82426

Details

XXE in petl ### Impact Information Disclosure ### Summary [petl](https://github.com/petl-developers/petl) is a Python library that provides functions for extraction, transformation, and loading (ETL) of data. petl before 1.68, in some configurations, allows resolution of entities in XML input. An attacker who is able to submit XML input to an application using petl can disclose arbitrary files on the file system in the context of the user under which the application is running. ### Affected Applications Applications that: - accept attacker-supplied XML input that is processed using petl < 1.68 - return the response generated by petl back to the attacker - configure lxml as the underlying XML processing library used by petl - have read privileges in filesystem files with sensitive information ### Mitigation Update to petl >= 1.68 ### Workarounds - Assure there is no user/external access to the application using [petl](https://github.com/petl-developers/petl) - Assure your application is not using the function [fromxml()](https://petl.readthedocs.io/en/stable/io.html#petl.io.xml.fromxml) ### References - https://github.com/nvn1729/advisories/blob/master/cve-2020-29128.md - https://github.com/petl-developers/petl/pull/527 - https://github.com/petl-developers/petl/releases/tag/v1.6.8 - https://petl.readthedocs.io/en/stable/changes.html - https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing ### For more information If you have any questions or comments about this advisory: * Add a comment in the Github [issue](https://github.com/petl-developers/petl/pull/527) Thaks to Naveen Sunkavally.

Metadata

Created: 2020-12-02T18:28:30Z
Modified: 2024-10-09T20:55:04Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/12/GHSA-f5gc-p5m3-v347/GHSA-f5gc-p5m3-v347.json
CWE IDs: ["CWE-611"]
Alternative ID: GHSA-f5gc-p5m3-v347
Finding: F083
Auto approve: 1