Miggo Logo
Miggo Vulnerability Database
CVE-2022-37189

CVE-2022-37189: MEI2Volpiano is vulnerable to XML External Entity (XXE), leading to a Denial of Service (DoS)

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-37189
GHSA ID
GHSA-6xm7-3cc5-47f9
EPSS Score
0.12249%
CWE
CWE-611
Published
9/8/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
mei2volpianopip<= 0.8.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from using Python's xml.etree.ElementTree library to parse untrusted XML input. The get_mei_elements function directly uses ET.parse(filename) without configuring the XML parser to disable external entity resolution. The Python documentation explicitly states that xml.etree is unsafe for parsing untrusted data due to XXE risks. The function's implementation matches the vulnerability description's root cause (unsafe XML parsing), and the code location is confirmed in the provided GitHub commit diff.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**M*L M*I*Volpi*no *.*.* is vuln*r**l* to XML *xt*rn*l *ntity (XX*), l***in* to * **ni*l o* S*rvi**. T*is o**urs *u* to t** us*** o* t** uns*** 'xml.*tr**' li*r*ry to p*rs* untrust** XML input.

Reasoning

T** vuln*r**ility st*ms *rom usin* Pyt*on's xml.*tr**.*l*m*ntTr** li*r*ry to p*rs* untrust** XML input. T** **t_m*i_*l*m*nts *un*tion *ir**tly us*s *T.p*rs*(*il*n*m*) wit*out *on*i*urin* t** XML p*rs*r to *is**l* *xt*rn*l *ntity r*solution. T** Pyt*o