What is CVE-2023-27476?

CVE-2023-27476 is a vulnerability in the OWSLib Python package that allows arbitrary file reads from the file system.

How does CVE-2023-27476 occur?

CVE-2023-27476 occurs because OWSLib's XML parser does not disable entity resolution.

What is the severity of CVE-2023-27476?

CVE-2023-27476 has a severity rating of 7.5 (high).

Which versions of OWSLib are affected by CVE-2023-27476?

OWSLib versions up to and including 0.28.1 are affected by CVE-2023-27476.

How can I fix CVE-2023-27476?

To fix CVE-2023-27476, update OWSLib to version 0.29.2-1 or higher.

Vulnerability/
CVE-2023-27476

high

8.2

CWE

611

7/3/2023

2/8/2024

CVE-2023-27476: XML External Entity (XXE) Injection in OWSLib

First published: Tue Mar 07 2023(Updated: )

OWSLib is a Python package for client programming with Open Geospatial Consortium (OGC) web service interface standards, and their related content models. OWSLib's XML parser (which supports both `lxml` and `xml.etree`) does not disable entity resolution, and could lead to arbitrary file reads from an attacker-controlled XML payload. This affects all XML parsing in the codebase. This issue has been addressed in version 0.28.1. All users are advised to upgrade. The only known workaround is to patch the library manually. See `GHSA-8h9c-r582-mggc` for details.

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
Osgeo Owslib	<0.28.1
debian/owslib	<=0.17.1-1	0.17.1-1+deb10u1 0.23.0-1+deb11u1 0.27.2-3 0.29.2-1

Remedy

https://github.com/geopython/OWSLib/pull/863/commits/b92687702be9576c0681bb11cad21eb631b9122f

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2023-27476?
CVE-2023-27476 is a vulnerability in the OWSLib Python package that allows arbitrary file reads from the file system.
How does CVE-2023-27476 occur?
CVE-2023-27476 occurs because OWSLib's XML parser does not disable entity resolution.
What is the severity of CVE-2023-27476?
CVE-2023-27476 has a severity rating of 7.5 (high).
Which versions of OWSLib are affected by CVE-2023-27476?
OWSLib versions up to and including 0.28.1 are affected by CVE-2023-27476.
How can I fix CVE-2023-27476?
To fix CVE-2023-27476, update OWSLib to version 0.29.2-1 or higher.

collector/debian-bugs
alias/CVE-2023-27476
collector/nvd-index
collector/security-tracker-debian
agent/type
agent/softwarecombine
collector/mitre-cve
source/MITRE
agent/last-modified-date
agent/title
agent/severity
agent/weakness
agent/author
agent/remedy
agent/references
agent/tags
agent/first-publish-date
agent/description
agent/event
vendor/osgeo
canonical/osgeo owslib
package-manager/debian

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.