CVE-2023-27476: OWSLib vulnerable to XML External Entity (XXE) Injection
(updated )
OWSLib’s XML parser (which supports both lxml and xml.etree) does not disable entity resolution for lxml, and could lead to arbitrary file reads from an attacker-controlled XML payload. This affects all XML parsing in the codebase.
References
- github.com/advisories/GHSA-8h9c-r582-mggc
- github.com/geopython/OWSLib
- github.com/geopython/OWSLib/pull/863
- github.com/geopython/OWSLib/pull/863/commits/b92687702be9576c0681bb11cad21eb631b9122f
- github.com/geopython/OWSLib/releases/tag/0.28.1
- github.com/geopython/OWSLib/security/advisories/GHSA-8h9c-r582-mggc
- github.com/pypa/advisory-database/tree/main/vulns/owslib/PYSEC-2023-86.yaml
- lists.debian.org/debian-lts-announce/2023/06/msg00032.html
- nvd.nist.gov/vuln/detail/CVE-2023-27476
- securitylab.github.com/advisories/GHSL-2022-131_owslib
- www.debian.org/security/2023/dsa-5426
Detect and mitigate CVE-2023-27476 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →