8.2

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-27476

GHSA ID

GHSA-8h9c-r582-mggc

EPSS Score

0.32243%

CWE

CWE-611

Published

3/7/2023

Updated

10/7/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-27476

CVE-2023-27476: OWSLib vulnerable to XML External Entity (XXE) Injection

Impact

OWSLib's XML parser (which supports both lxml and xml.etree) does not disable entity resolution for lxml, and could lead to arbitrary file reads from an attacker-controlled XML payload. This affects all XML parsing in the codebase.

Patches

Use only lxml for XML handling, adding resolve_entities=False to lxml's parser: https://github.com/geopython/OWSLib/pull/863

Workarounds

patch_well_known_namespaces(etree)
etree.set_default_parser(
    parser=etree.XMLParser(resolve_entities=False)
)

References

GHSL-2022-131

(GitHub Advisory)

8.2

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-27476

GHSA ID

GHSA-8h9c-r582-mggc

EPSS Score

0.32243%

CWE

CWE-611

Published

3/7/2023

Updated

10/7/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
OWSLib	pip	< 0.28.1	0.28.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The analysis focused on identifying functions directly related to the XML parsing and processing that were modified to address the XXE vulnerability. The primary evidence comes from the changes in owslib/etree.py and the usage of lxml's etree.set_default_parser function.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t OWSLi*'s XML p*rs*r (w*i** supports *ot* `lxml` *n* `xml.*tr**`) *o*s not *is**l* *ntity r*solution *or `lxml`, *n* *oul* l*** to *r*itr*ry *il* r***s *rom *n *tt**k*r-*ontroll** XML p*ylo**. T*is *****ts *ll XML p*rsin* in t** *o****s*.

Reasoning

T** *n*lysis *o*us** on i**nti*yin* *un*tions *ir**tly r*l*t** to t** XML p*rsin* *n* pro**ssin* t**t w*r* mo*i*i** to ***r*ss t** XX* vuln*r**ility. T** prim*ry *vi**n** *om*s *rom t** ***n**s in owsli*/*tr**.py *n* t** us*** o* lxml's *tr**.s*t_***

8.2

Basic Information

Concerned about an active attack path?

CVE-2023-27476: OWSLib vulnerable to XML External Entity (XXE) Injection

Impact

Patches

Workarounds

References

8.2

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI