Coordinated Disclosure Timeline
- 2022-11-30: Report sent to geopython-security at lists.osgeo.org
- 2022-12-06: Reminder sent to geopython-security at lists.osgeo.org
- 2023-02-22: Reminder sent to geopython-security at lists.osgeo.org
- 2023-02-23: Report is acknowledged
- 2023-02-28: Deadline expires as per our security policy
- 2023-03-06: Advisory GHSA-8h9c-r582-mggc is published
OWSLib does not disable entity resolution for XML parsing, leading to XML External Entities (XXE) injection.
Issue: XML parsing is vulnerable to XML External Entities (XXE) injection (
OWSLib does not disable entity resolution for the ~115 XML parsing calls. If any part of the parsed XML document is user-controlled, an attacker may be able to inject XML external entities, thus being able to read arbitrary files from the file system, which might lead to more severe exploit primitives.
Moreover, we have identified several projects (out of OWSLib’s +1k dependents) that rely on OWSLib’s XML parsing library to parse custom XML without applying any mitigation, making them vulnerable to the former exploit primitives.
This issue may lead to
Arbitrary File Read.
This issue was discovered and reported by GHSL team member @jorgectf (Jorge Rosillo).
You can contact the GHSL team at
firstname.lastname@example.org, please include a reference to
GHSL-2022-131 in any communication regarding this issue.