CVE-2021-29421XML External Entity (XXE) Injection in Project Pikepdf

CWE-611XML External Entity (XXE) Injection6 documents5 sources
Severity
7.5HIGHNVD
EPSS
0.4%
top 40.94%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Pikepdf Project PikepdfDebian PikepdfFedoraproject Fedora
Timeline
PublishedApr 1
Latest updateApr 20

Description

models/metadata.py in the pikepdf package 1.3.0 through 2.9.2 for Python allows XXE when parsing XMP metadata entries.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

debiandebian/pikepdf< pikepdf 1.17.3+dfsg-5 (bookworm)
PyPIpikepdf_project/pikepdf1.3.02.10.0
Debianpikepdf_project/pikepdf< 1.17.3+dfsg-5+3
NVDpikepdf_project/pikepdf1.3.02.9.2

Also affects: Fedora 32, 33

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

3
GHSA
Improper Restriction of XML External Entity Reference in pikepdf2021-04-20
OSV
Improper Restriction of XML External Entity Reference in pikepdf2021-04-20
OSV
CVE-2021-29421: models/metadata2021-04-01

📋Vendor Advisories

2
Red Hat
pikepdf: XML external entity issue when parsing XMP metadata entries2021-04-01
Debian
CVE-2021-29421: pikepdf - models/metadata.py in the pikepdf package 1.3.0 through 2.9.2 for Python allows ...2021
CVE-2021-29421 — XML External Entity (XXE) Injection | cvebase