GHSL-2022-131: XML External Entities (XXE) injection in OWSLib - CVE-2023-27476

Coordinated Disclosure Timeline

• 2022-11-30: Report sent to geopython-security at lists.osgeo.org
• 2022-12-06: Reminder sent to geopython-security at lists.osgeo.org
• 2023-02-22: Reminder sent to geopython-security at lists.osgeo.org
• 2023-02-23: Report is acknowledged
• 2023-02-28: Deadline expires as per our security policy
• 2023-03-06: Advisory GHSA-8h9c-r582-mggc is published

Summary

OWSLib does not disable entity resolution for XML parsing, leading to XML External Entities (XXE) injection.

Product

OWSLib

Tested Version

0.27.2

Details

Issue: XML parsing is vulnerable to XML External Entities (XXE) injection (GHSL-2022-131)

OWSLib does not disable entity resolution for the ~115 XML parsing calls. If any part of the parsed XML document is user-controlled, an attacker may be able to inject XML external entities, thus being able to read arbitrary files from the file system, which might lead to more severe exploit primitives.

Moreover, we have identified several projects (out of OWSLib’s +1k dependents) that rely on OWSLib’s XML parsing library to parse custom XML without applying any mitigation, making them vulnerable to the former exploit primitives.

Impact

This issue may lead to Arbitrary File Read.

Resources

• CodeQL - Python XML External Entity injection
• OWASP - XML External Entity (XXE) Processing

CVE

• CVE-2023-27476

Credit

This issue was discovered and reported by GHSL team member @jorgectf (Jorge Rosillo).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2022-131 in any communication regarding this issue.