-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability lies in the validate_peppol_document function within src/peppol_py/validation.py. This function is responsible for validating Peppol XML documents. The core of the vulnerability is that the XML parser, PySaxonProcessor, was not configured to prevent the resolution of external entities. An attacker could exploit this by submitting a malicious XML file containing external entity references, which the parser would then attempt to resolve. This could lead to the contents of local files being exposed. The provided patch directly addresses this issue by adding a line of code, proc.set_configuration_property("http://saxon.sf.net/feature/allowedProtocols", ""), within the validate_peppol_document function. This change explicitly disallows the processor from accessing any URLs, thereby mitigating the XXE vulnerability. Therefore, any runtime profile capturing the execution of an exploit for this CVE would show the validate_peppol_document function in the stack trace.
validate_peppol_documentsrc/peppol_py/validation.py
PythonPython| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| peppol_py | pip | < 1.1.1 | 1.1.1 |
Ongoing coverage of React2Shell