CVE-2021-39371 — XML External Entity (XXE) Injection in Pywps

CWE-611 — XML External Entity (XXE) Injection CWE-91 — XML Injection (aka Blind XPath Injection)6 documents4 sources

Severity

7.5HIGHNVD

EPSS

0.5%

top 32.76%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Osgeo Pywps Debian Pywps Debian Linux +1 more

Timeline

PublishedAug 23

Latest updateSep 2

Description

An XML external entity (XXE) injection in PyWPS before 4.4.5 allows an attacker to view files on the application server filesystem by assigning a path to the entity. OWSLib 0.24.1 may also be affected.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages5 packages

▶NVDosgeo/pywps< 4.4.5

▶PyPIosgeo/pywps< 4.5.0

▶debiandebian/pywps< pywps 4.5.0-1 (bookworm)

▶Debianosgeo/pywps< 4.5.0-1+2

▶NVDosgeo/owslib0.24.1

Also affects: Debian Linux 9.0

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

XML External Entity Injection in PyWPS↗2021-09-02

▶

OSV

XML External Entity Injection in PyWPS↗2021-09-02

▶

OSV

CVE-2021-39371: An XML external entity (XXE) injection in PyWPS before 4↗2021-08-23

▶

OSV

CVE-2021-39371: An XML external entity (XXE) injection in PyWPS before 4↗2021-08-23

▶

📋Vendor Advisories

Debian

CVE-2021-39371: pywps - An XML external entity (XXE) injection in PyWPS before 4.4.5 allows an attacker ...↗2021

▶