CVE-2017-5992: Improper Restriction of XML External Entity Reference in Openpyxl
8.2
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.66218%
CWE
Published
5/17/2022
Updated
10/7/2024
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
openpyxl | pip | <= 2.4.1 | 2.4.2 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stemmed from Openpyxl's use of lxml's default XML parser which resolved external entities. The key vulnerable function was openpyxl.xml.functions.fromstring, which directly handled XML parsing without entity restrictions. This function was called during critical parsing operations like reading workbook properties (read_properties), styles, and other XML-based components of .xlsx files. The patch explicitly added resolve_entities=False to XMLParser initialization, confirming these were the injection points for XXE payloads.