cbcvebase.
CVE-2023-27476
published 2023-03-08

CVE-2023-27476: OWSLib is a Python package for client programming with Open Geospatial Consortium (OGC) web service interface standards, and their related content models…

PriorityP344high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.98%
57.7th percentile
OWSLib is a Python package for client programming with Open Geospatial Consortium (OGC) web service interface standards, and their related content models. OWSLib's XML parser (which supports both `lxml` and `xml.etree`) does not disable entity resolution, and could lead to arbitrary file reads from an attacker-controlled XML payload. This affects all XML parsing in the codebase. This issue has been addressed in version 0.28.1. All users are advised to upgrade. The only known workaround is to patch the library manually. See `GHSA-8h9c-r582-mggc` for details.

Affected

9 ranges
VendorProductVersion rangeFixed in
debianowslib< owslib 0.27.2-3 (bookworm)owslib 0.27.2-3 (bookworm)
geopythonowslib< 0.28.10.28.1
osgeoowslib< 0.28.10.28.1
osgeoowslib>= 0 < 0.23.0-1+deb11u10.23.0-1+deb11u1
osgeoowslib>= 0 < 0.27.2-30.27.2-3
osgeoowslib>= 0 < 0.27.2-30.27.2-3
osgeoowslib>= 0 < 0.27.2-30.27.2-3
osgeoowslib>= 0 < 0.28.10.28.1
ubuntuowslib

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
osv7.5HIGH
vendor_debian8.2HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.