Miggo Logo
Miggo Vulnerability Database
CVE-2021-39371

CVE-2021-39371: XML External Entity Injection in PyWPS

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-39371
GHSA ID
GHSA-p9wf-3xpg-c9g5
EPSS Score
0.62563%
CWE
CWE-91
Published
9/2/2021
Updated
10/24/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
pywpspip< 4.5.04.5.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from using lxml's default XML parser without disabling external entity resolution. The key vulnerable functions were direct usages of lxml.etree.fromstring() and parse() methods across multiple files before they were replaced with a secured parser (via pywps/xml_util.py) that sets resolve_entities=False. The patch specifically modified these calls to use the secured parser, confirming their role in the XXE vulnerability. The medium confidence on tostring() reflects its involvement in XML processing even though it's not directly responsible for entity resolution.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n XML *xt*rn*l *ntity (XX*) inj**tion in PyWPS ***or* *.*.* *llows *n *tt**k*r to vi*w *il*s on t** *ppli**tion s*rv*r *il*syst*m *y *ssi*nin* * p*t* to t** *ntity. OWSLi* *.**.* m*y *lso ** *****t**.

Reasoning

T** vuln*r**ility st*mm** *rom usin* lxml's ****ult XML p*rs*r wit*out *is**lin* *xt*rn*l *ntity r*solution. T** k*y vuln*r**l* *un*tions w*r* *ir**t us***s o* lxml.*tr**.*romstrin*() *n* p*rs*() m*t*o*s **ross multipl* *il*s ***or* t**y w*r* r*pl***