N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-7r9x-qrpr-3cxw

EPSS Score

CWE

CWE-611

Published

8/11/2022

Updated

1/7/2023

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-7r9x-qrpr-3cxw

GHSA-7r9x-qrpr-3cxw: mofh Vulnerable to Improper Restriction of XML External Entity Reference

The xml.etree.ElementTree module that mofh used up until version 1.0.1 implements a simple and efficient API for parsing and creating XML data. But it makes the application vulnerable to:

Billion Laughs attack: It is a type of denial-of-service attack aimed at XML parsers. It uses multiple levels of nested entities. If one large entity is repeated with a couple of thousand chars repeatedly, the parser gets overwhelmed.
Quadratic blowup attack: It is similar to a Billion Laughs attack. It abuses entity expansion, too. Instead of nested entities, it repeats one large entity with a couple of thousand chars repeatedly.

The Problem has been patched starting from version 1.0.1 by utilising the defusedxml package instead of xml.etree.ElementTree.

Workarounds

For this vulnerability to be exploited the user must be using a custom API URL, which has to be manually given using the api_url argument, or MyOwnFreeHost's API must be hacked. So, if the user did not use a custom API URL they should be fine, however, upgrading is still advised.

Another workaround could be to call defusedxml.defuse_stdlib() before making any requests using the client.

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-7r9x-qrpr-3cxw

GHSA-7r9x-qrpr-3cxw:

N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-7r9x-qrpr-3cxw

EPSS Score

CWE

CWE-611

Published

8/11/2022

Updated

1/7/2023

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
mofh	pip	< 1.0.1	1.0.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from using Python's default xml.etree.ElementTree XML parser which doesn't restrict entity expansion by default. Both Client and AsyncClient classes contained a _parse_xml method that directly used xml.etree.ElementTree.fromstring() to parse untrusted XML input. The commit patched this by replacing the parser with defusedxml.ElementTree.fromstring(), which protects against entity expansion attacks. The vulnerable functions are clearly identified in the diff showing the XML parsing logic before patching.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-7r9x-qrpr-3cxw: mofh Vulnerable to Improper Restriction of XML External Entity Reference

Workarounds

GHSA-7r9x-qrpr-3cxw:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

GHSA-7r9x-qrpr-3cxw: mofh Vulnerable to Improper Restriction of XML External Entity Reference

Workarounds

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

N/A

N/A

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI