Miggo Logo

CVE-2022-31471: untangle vulnerable to Improper Restriction of XML External Entity Reference

7.5

CVSS Score
3.1

Basic Information

EPSS Score
0.47852%
Published
8/6/2022
Updated
11/18/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
untanglepip< 1.2.11.2.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper XML parsing configuration. The release notes for 1.2.1 explicitly mention switching to defusedxml to prevent XXE attacks, indicating the core parsing function (untangle.parse) was previously using an insecure XML parser. This aligns with standard XXE vulnerability patterns where failure to configure safe parsing options (like disabling external entities) in XML processing functions creates exposure.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### **s*ription unt*n*l* is * pyt*on li*r*ry to *onv*rt XML **t* to pyt*on o*j**ts. unt*n*l* v*rsions *.*.* *n* **rli*r improp*rly r*stri*ts XML *xt*rn*l *ntity r***r*n**s. *y *xploitin* t*is vuln*r**ility, * r*mot* un*ut**nti**t** *tt**k*r m*y r***

Reasoning

T** vuln*r**ility st*ms *rom improp*r XML p*rsin* *on*i*ur*tion. T** r*l**s* not*s *or *.*.* *xpli*itly m*ntion swit**in* to `***us**xml` to pr*v*nt XX* *tt**ks, in*i**tin* t** *or* p*rsin* *un*tion (`unt*n*l*.p*rs*`) w*s pr*viously usin* *n ins**ur*