Coordinated Disclosure Timeline
- 2022-11-30: Report sent to geopython-security at lists.osgeo.org
- 2022-12-06: Reminder sent to geopython-security at lists.osgeo.org
- 2023-02-22: Reminder sent to geopython-security at lists.osgeo.org
- 2023-02-23: Report is acknowledged
- 2023-02-28: Deadline expires as per our security policy
- 2023-03-06: Advisory GHSA-8h9c-r582-mggc is published
Summary
OWSLib does not disable entity resolution for XML parsing, leading to XML External Entities (XXE) injection.
Product
OWSLib
Tested Version
Details
Issue: XML parsing is vulnerable to XML External Entities (XXE) injection (GHSL-2022-131)
OWSLib does not disable entity resolution for the ~115 XML parsing calls. If any part of the parsed XML document is user-controlled, an attacker may be able to inject XML external entities, thus being able to read arbitrary files from the file system, which might lead to more severe exploit primitives.
Moreover, we have identified several projects (out of OWSLib’s +1k dependents) that rely on OWSLib’s XML parsing library to parse custom XML without applying any mitigation, making them vulnerable to the former exploit primitives.
Impact
This issue may lead to Arbitrary File Read.
Resources
CVE
- CVE-2023-27476
Credit
This issue was discovered and reported by GHSL team member @jorgectf (Jorge Rosillo).
Contact
You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2022-131 in any communication regarding this issue.