Miggo Logo

CVE-2017-5992: Improper Restriction of XML External Entity Reference in Openpyxl

8.2

CVSS Score
3.0

Basic Information

EPSS Score
0.66218%
Published
5/17/2022
Updated
10/7/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
openpyxlpip<= 2.4.12.4.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from Openpyxl's use of lxml's default XML parser which resolved external entities. The key vulnerable function was openpyxl.xml.functions.fromstring, which directly handled XML parsing without entity restrictions. This function was called during critical parsing operations like reading workbook properties (read_properties), styles, and other XML-based components of .xlsx files. The patch explicitly added resolve_entities=False to XMLParser initialization, confirming these were the injection points for XXE payloads.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Op*npyxl *.*.* r*solv*s *xt*rn*l *ntiti*s *y ****ult, w*i** *llows r*mot* *tt**k*rs to *on*u*t XX* *tt**ks vi* * *r**t** .xlsx *o*um*nt.

Reasoning

T** vuln*r**ility st*mm** *rom Op*npyxl's us* o* lxml's ****ult XML p*rs*r w*i** r*solv** *xt*rn*l *ntiti*s. T** k*y vuln*r**l* *un*tion w*s op*npyxl.xml.*un*tions.*romstrin*, w*i** *ir**tly **n*l** XML p*rsin* wit*out *ntity r*stri*tions. T*is *un*t