CVE-2023-27476
Description
OWSLib is a Python package for client programming with Open Geospatial Consortium (OGC) web service interface standards, and their related content models. OWSLib's XML parser (which supports both `lxml` and `xml.etree`) does not disable entity resolution, and could lead to arbitrary file reads from an attacker-controlled XML payload. This affects all XML parsing in the codebase. This issue has been addressed in version 0.28.1. All users are advised to upgrade. The only known workaround is to patch the library manually. See `GHSA-8h9c-r582-mggc` for details.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Mitigation details
CVE-2023-27476 NameCVE-2023-27476 DescriptionOWSLib is a Python package for client programming with Open Geospatial Consortium (OGC) web service interface standards, and their related content models. OWSLib's XML parser (which supports both `lxml` and `xml.etree`) does not disable entity resolution, and could lead to arbitrary file reads from an attacker-controlled XML payload. This affects allβ¦
Workaround
is to patch the library manually. See `GHSA-8h9c-r582-mggc` for details. SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) ReferencesDLA-3470-1, DSA-5426-1 Debian Bugs1034182 Vulnerable and fixed packages The table below lists information on source packages. Source PackageReleaseVersionStatus owslib (PTS)bullseye (security), bullseye0.23.0-1+deb11u1fixed bookworm0.27.2-3fixed trixie0.33.0-1fixed forky0.35.0-1fixed sid0.36.0-1fixed The information below is based on the following data on fixed versions. PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs owslibsourceexperimental0.28.1-1~exp1 owslibsourcebuster0.17.1-1+deb10u1DLA-3470-1 owslibsourcebullseye0.23.0-1+deb11u1DSA-5426-1 owslibsource(unstable)0.27.2-31034182 Notes https://github.com/geopython/OWSLib/commit/d91267303a695d69e73fa71efa100a035852a063 (0.29.0) https://github.com/geopython/OWSLib/commit/b0c687544ddc213d8dcd4a056139b63451938b21 (0.28.1) https://github.com/geopython/OWSLib/security/advisories/GHSA-8h9c-r582-mggc https://securitylab.github.com/advisories/GHSL-2022-131_OWSLib/
CVE-2023-27476
| Name | CVE-2023-27476 |
| Description | OWSLib is a Python package for client programming with Open Geospatial Consortium (OGC) web service interface standards, and their related content models. OWSLib's XML parser (which supports both `lxml` and `xml.etree`) does not disable entity resolution, and could lead to arbitrary file reads from an attacker-controlled XML payload. This affects all XML parsing in the codebase. This issue has been addressed in version 0.28.1. All users are advised to upgrade. The only known workaround is to patch the library manually. See `GHSA-8h9c-r582-mggc` for details. |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DLA-3470-1, DSA-5426-1 |
| Debian Bugs | 1034182 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| owslib (PTS) | bullseye (security), bullseye | 0.23.0-1+deb11u1 | fixed |
| bookworm | 0.27.2-3 | fixed | |
| trixie | 0.33.0-1 | fixed | |
| forky | 0.35.0-1 | fixed | |
| sid | 0.36.0-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| owslib | source | experimental | 0.28.1-1~exp1 | |||
| owslib | source | buster | 0.17.1-1+deb10u1 | DLA-3470-1 | ||
| owslib | source | bullseye | 0.23.0-1+deb11u1 | DSA-5426-1 | ||
| owslib | source | (unstable) | 0.27.2-3 | 1034182 |
Notes
https://github.com/geopython/OWSLib/commit/d91267303a695d69e73fa71efa100a035852a063 (0.29.0)
https://github.com/geopython/OWSLib/commit/b0c687544ddc213d8dcd4a056139b63451938b21 (0.28.1)
https://github.com/geopython/OWSLib/security/advisories/GHSA-8h9c-r582-mggc
https://securitylab.github.com/advisories/GHSL-2022-131_OWSLib/
Apply commands
https://github.com/geopython/OWSLib/commit/d91267303a695d69e73fa71efa100a035852a063 (0.29.0)https://github.com/geopython/OWSLib/commit/b0c687544ddc213d8dcd4a056139b63451938b21 (0.28.1)https://github.com/geopython/OWSLib/security/advisories/GHSA-8h9c-r582-mggchttps://securitylab.github.com/advisories/GHSL-2022-131_OWSLib/OS impact
SUSE Affected 1 release
| Version | Status | Fixed in |
|---|---|---|
| β | Affected | β |
Debian Fixed 5 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Fixed | 0.27.2-3 |
| sid | Fixed | 0.27.2-3 |
| forky | Fixed | 0.27.2-3 |
| bullseye | Fixed | 0.23.0-1+deb11u1 |
| bookworm | Fixed | 0.27.2-3 |
References
- https://github.com/geopython/OWSLib/security/advisories/GHSA-8h9c-r582-mggc
- https://nvd.nist.gov/vuln/detail/CVE-2023-27476
- https://github.com/geopython/OWSLib/pull/863
- https://github.com/geopython/OWSLib/pull/863/commits/b92687702be9576c0681bb11cad21eb631b9122f
- https://github.com/geopython/OWSLib
- https://github.com/geopython/OWSLib/releases/tag/0.28.1
- https://github.com/pypa/advisory-database/tree/main/vulns/owslib/PYSEC-2023-86.yaml
- https://lists.debian.org/debian-lts-announce/2023/06/msg00032.html
- https://securitylab.github.com/advisories/GHSL-2022-131_owslib
- https://www.debian.org/security/2023/dsa-5426
- https://securitylab.github.com/advisories/GHSL-2022-131_owslib/
- https://www.suse.com/security/cve/CVE-2023-27476.html
- https://security-tracker.debian.org/tracker/CVE-2023-27476
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.