XML External Entity Vulnerability in Python Products
CVE-2022-48565

9.8CRITICAL

Key Information:

Vendor: Python
Status: Python
Vendor: CVE Published:; 22 August 2023

Summary

An XML External Entity (XXE) vulnerability has been identified in Python's plistlib module. This issue allows for potential exploitation through the processing of XML plist files, which previously accepted entity declarations. The Python Software Foundation has addressed this flaw starting from version 3.9.1 to enhance the security posture of its product. The vulnerability emphasizes the importance of strict parsing of XML entities to prevent XML-related attacks.

References

https://bugs.python.org/issue42051

https://lists.debian.org/debian-lts-announce/2023/09/msg0...

mailing-list

https://security.netapp.com/advisory/ntap-20231006-0007/

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Aug 22, 2023
Vulnerability Reserved
Jul 23, 2023