7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-31471

GHSA ID

GHSA-f83q-2cp7-qrjg

EPSS Score

0.47852%

CWE

CWE-611

Published

8/6/2022

Updated

11/18/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-31471

CVE-2022-31471: untangle vulnerable to Improper Restriction of XML External Entity Reference

Description

untangle is a python library to convert XML data to python objects. untangle versions 1.2.0 and earlier improperly restricts XML external entity references. By exploiting this vulnerability, a remote unauthenticated attacker may read the contents of local files.

Impact

An attacker may be able to read the contents of local files. This affects untangle versions up to and including 1.2.0

Patches

The problem has been fixed with version 1.2.1

Workarounds

None

References

https://jvn.jp/en/jp/JVN30454777/

For more information

If you have any questions or comments about this advisory:

Open an issue

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-31471

GHSA ID

GHSA-f83q-2cp7-qrjg

EPSS Score

0.47852%

CWE

CWE-611

Published

8/6/2022

Updated

11/18/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
untangle	pip	< 1.2.1	1.2.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper XML parsing configuration. The release notes for 1.2.1 explicitly mention switching to defusedxml to prevent XXE attacks, indicating the core parsing function (untangle.parse) was previously using an insecure XML parser. This aligns with standard XXE vulnerability patterns where failure to configure safe parsing options (like disabling external entities) in XML processing functions creates exposure.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### **s*ription unt*n*l* is * pyt*on li*r*ry to *onv*rt XML **t* to pyt*on o*j**ts. unt*n*l* v*rsions *.*.* *n* **rli*r improp*rly r*stri*ts XML *xt*rn*l *ntity r***r*n**s. *y *xploitin* t*is vuln*r**ility, * r*mot* un*ut**nti**t** *tt**k*r m*y r***

Reasoning

T** vuln*r**ility st*ms *rom improp*r XML p*rsin* *on*i*ur*tion. T** r*l**s* not*s *or *.*.* *xpli*itly m*ntion swit**in* to `***us**xml` to pr*v*nt XX* *tt**ks, in*i**tin* t** *or* p*rsin* *un*tion (`unt*n*l*.p*rs*`) w*s pr*viously usin* *n ins**ur*

7.5

Basic Information

Concerned about an active attack path?

CVE-2022-31471: untangle vulnerable to Improper Restriction of XML External Entity Reference

Description

Impact

Patches

Workarounds

References

For more information

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI