Coordinated Disclosure Timeline

Summary

OWSLib does not disable entity resolution for XML parsing, leading to XML External Entities (XXE) injection.

Product

OWSLib

Tested Version

0.27.2

Details

Issue: XML parsing is vulnerable to XML External Entities (XXE) injection (GHSL-2022-131)

OWSLib does not disable entity resolution for the ~115 XML parsing calls. If any part of the parsed XML document is user-controlled, an attacker may be able to inject XML external entities, thus being able to read arbitrary files from the file system, which might lead to more severe exploit primitives.

Moreover, we have identified several projects (out of OWSLib’s +1k dependents) that rely on OWSLib’s XML parsing library to parse custom XML without applying any mitigation, making them vulnerable to the former exploit primitives.

Impact

This issue may lead to Arbitrary File Read.

Resources

CVE

Credit

This issue was discovered and reported by GHSL team member @jorgectf (Jorge Rosillo).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2022-131 in any communication regarding this issue.