XML External Entity (XXE) Injection in OWSLib
CVE-2023-27476

8.2HIGH

Key Information:

Vendor

Geopython

Status
Owslib
Vendor
CVE Published:
8 March 2023

What is CVE-2023-27476?

OWSLib is a Python library designed for client programming with Open Geospatial Consortium (OGC) web service standards. The library's XML parser does not disable entity resolution, creating a security flaw that enables attackers to conduct arbitrary file reads via malicious XML payloads. This issue impacts all XML parsing functions within the OWSLib codebase. To mitigate the risk, users are strongly advised to upgrade to version 0.28.1, as it addresses this vulnerability. Alternatively, users can apply a manual patch, but upgrading is recommended. For further details, refer to related security advisories.

Affected Version(s)

OWSLib < 0.28.1

References

https://github.com/geopython/OWSLib/security/advisories/G...
x_refsource_CONFIRM
https://github.com/geopython/OWSLib/pull/863/commits/b926...
x_refsource_MISC
https://securitylab.github.com/advisories/GHSL-2022-131_o...
x_refsource_MISC

CVSS V3.1

Score:
8.2
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.