CVE-2022-48565 — XML External Entity (XXE) Injection in Python

CWE-611 — XML External Entity (XXE) Injection10 documents6 sources

Severity

9.8CRITICALNVD

OSV7.6OSV7.5

EPSS

7.3%

top 8.33%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Python Debian Pypy3 Debian Python2.7 +2 more

Timeline

PublishedAug 22

Latest updateJan 6

Description

An XML External Entity (XXE) issue was discovered in Python through 3.9.1. The plistlib module no longer accepts entity declarations in XML plist files to avoid XML vulnerabilities.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages4 packages

▶NVDpython/python3.7.0 — 3.7.10+3

▶debiandebian/python2.7< pypy3 7.3.5+dfsg-2 (bookworm)

▶debiandebian/python3.9< pypy3 7.3.5+dfsg-2 (bookworm)

▶debiandebian/pypy3< pypy3 7.3.5+dfsg-2 (bookworm)

Also affects: Debian Linux 10.0

Patches

Patch: bugs.python.org ↗Patch: bugs.python.org ↗

🔴Vulnerability Details

OSV

python2.7 vulnerabilities↗2025-01-06

▶

OSV

python3.5, python3.6, python3.7, python3.8, python3.9, python3.10, python3.11, python3.12 vulnerabilities↗2024-07-11

▶

GHSA

GHSA-crhm-wc96-7579: An XML External Entity (XXE) issue was discovered in Python through 3↗2023-08-22

▶

OSV

CVE-2022-48565: An XML External Entity (XXE) issue was discovered in Python through 3↗2023-08-22

▶

📋Vendor Advisories

Ubuntu

Python vulnerabilities↗2025-01-06

▶

Ubuntu

Python vulnerabilities↗2024-07-11

▶

Ubuntu

Python vulnerability↗2023-09-07

▶

Red Hat

python: XML External Entity in XML processing plistlib module↗2023-08-22

▶

Debian

CVE-2022-48565: pypy3 - An XML External Entity (XXE) issue was discovered in Python through 3.9.1. The p...↗2022

▶