CVE-2021-39371: XEE
First published: Mon Aug 23 2021(Updated: )
An XML external entity (XXE) injection in PyWPS before 4.4.5 allows an attacker to view files on the application server filesystem by assigning a path to the entity. OWSLib 0.24.1 may also be affected.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Osgeo Owslib | =0.24.1 | |
| Osgeo Pywps | <4.4.5 | |
| Debian Debian Linux | =9.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID of this XXE injection?
The vulnerability ID for this XML external entity (XXE) injection is CVE-2021-39371.
What is the severity of CVE-2021-39371?
The severity of CVE-2021-39371 is high with a CVSS score of 7.5.
How does the XXE injection in PyWPS before 4.4.5 occur?
The XXE injection in PyWPS before 4.4.5 occurs by assigning a path to the entity, allowing the attacker to view files on the application server filesystem.
Is OWSLib 0.24.1 affected by CVE-2021-39371?
Yes, OWSLib 0.24.1 may also be affected by CVE-2021-39371.
How can I fix the XXE injection vulnerability in PyWPS and OWSLib?
To fix the XXE injection vulnerability, update PyWPS to version 4.4.5 or higher, and OWSLib to a version that has addressed this issue.
- collector/nvd-index
- agent/severity
- agent/author
- agent/event
- agent/weakness
- agent/references
- agent/type
- agent/description
- agent/last-modified-date
- agent/remedy
- agent/first-publish-date
- agent/softwarecombine
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/osgeo
- canonical/osgeo owslib
- version/osgeo owslib/0.24.1
- canonical/osgeo pywps
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0