Veracode Vulnerability DatabaseVERACODE:43018XML External Entity (XXE)
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.001 Low
EPSS
Percentile
48.1%
python3.9 is vulnerable to XML External Entity (XXE). This vulnerability exists due to a flaw in the way the plistlib module parses certain XML plist files. An attacker can exploit this vulnerability by sending a specially crafted plist file that references an external entity, which could allow the attacker to read arbitrary files on the system or execute arbitrary code.
References
bugs.python.org/issue42051
lists.debian.org/debian-lts-announce/2023/09/msg00022.html
lists.debian.org/debian-lts-announce/2023/10/msg00017.html
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AFHYAGWBFBNUGWU6XWKBHTCV5NH77MB7/
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BAYWJD576JUKLHCWKDLMJSUGTRDKPF3M/
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KZRZRJHWLZ7MOJNPQBWGJVXMVYDC5BRA/
lists.fedoraproject.org/archives/list/[email protected]/message/AFHYAGWBFBNUGWU6XWKBHTCV5NH77MB7/
lists.fedoraproject.org/archives/list/[email protected]/message/BAYWJD576JUKLHCWKDLMJSUGTRDKPF3M/
lists.fedoraproject.org/archives/list/[email protected]/message/KZRZRJHWLZ7MOJNPQBWGJVXMVYDC5BRA/
security-tracker.debian.org/tracker/CVE-2022-48565
security.netapp.com/advisory/ntap-20231006-0007/
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.001 Low
EPSS
Percentile
48.1%