CVE-2021-39371

Published: Aug 23, 2021Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

An XML external entity (XXE) injection in PyWPS before 4.4.5 allows an attacker to view files on the application server filesystem by assigning a path to the entity. OWSLib 0.24.1 may also be affected.

Affected (3)

Products: Osgeo: Owslib, Pywps · Debian: Debian Linux

2 products

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Osgeo Owslib	Version 0.24.1
Osgeo Pywps	Before 4.4.5

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 9.0

Related CWEs

CWE-611

Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

References (6)

https://github.com/geopython/OWSLib/issues/790

Source: cve@mitre.org

Issue TrackingPatchThird Party Advisory

https://github.com/geopython/pywps/pull/616

Source: cve@mitre.org

PatchThird Party Advisory

https://lists.debian.org/debian-lts-announce/2021/09/msg00001.html

Source: cve@mitre.org

Mailing ListThird Party Advisory

https://github.com/geopython/OWSLib/issues/790

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingPatchThird Party Advisory

https://github.com/geopython/pywps/pull/616

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://lists.debian.org/debian-lts-announce/2021/09/msg00001.html

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

Timeline

No history available yet.