FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

py39-OWSLib -- arbitrary file read vulnerability

Affected packages
py39-OWSLib < 0.28.1

Details

VuXML ID e5d117b3-2153-4129-81ed-42b0221afa78
Discovery 2023-03-07
Entry 2023-04-09

Jorge Rosillo reports:

OWSLib's XML parser (which supports both `lxml` and `xml.etree`) does not disable entity resolution for `lxml`, and could lead to arbitrary file reads from an attacker-controlled XML payload.

This affects all XML parsing in the codebase.

References

CVE Name CVE-2023-27476
URL https://osv.dev/vulnerability/GHSA-8h9c-r582-mggc