CVE-2023-27476
published 2023-03-08CVE-2023-27476: OWSLib is a Python package for client programming with Open Geospatial Consortium (OGC) web service interface standards, and their related content models…
PriorityP344high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.98%
57.7th percentile
OWSLib is a Python package for client programming with Open Geospatial Consortium (OGC) web service interface standards, and their related content models. OWSLib's XML parser (which supports both `lxml` and `xml.etree`) does not disable entity resolution, and could lead to arbitrary file reads from an attacker-controlled XML payload. This affects all XML parsing in the codebase. This issue has been addressed in version 0.28.1. All users are advised to upgrade. The only known workaround is to patch the library manually. See `GHSA-8h9c-r582-mggc` for details.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | owslib | < owslib 0.27.2-3 (bookworm) | owslib 0.27.2-3 (bookworm) |
| geopython | owslib | < 0.28.1 | 0.28.1 |
| osgeo | owslib | < 0.28.1 | 0.28.1 |
| osgeo | owslib | >= 0 < 0.23.0-1+deb11u1 | 0.23.0-1+deb11u1 |
| osgeo | owslib | >= 0 < 0.27.2-3 | 0.27.2-3 |
| osgeo | owslib | >= 0 < 0.27.2-3 | 0.27.2-3 |
| osgeo | owslib | >= 0 < 0.27.2-3 | 0.27.2-3 |
| osgeo | owslib | >= 0 < 0.28.1 | 0.28.1 |
| ubuntu | owslib | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
osv7.5HIGH
vendor_debian8.2HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2023-27476: OWSLib is a Python package for client programming with Open Geospatial Consortium (OGC) web service interface standards, and their related content mod
osv·2023-03-08·CVSS 7.5
CVE-2023-27476 [HIGH] CVE-2023-27476: OWSLib is a Python package for client programming with Open Geospatial Consortium (OGC) web service interface standards, and their related content mod
OWSLib is a Python package for client programming with Open Geospatial Consortium (OGC) web service interface standards, and their related content models. OWSLib's XML parser (which supports both `lxml` and `xml.etree`) does not disable entity resolution, and could lead to arbitrary file reads from an attacker-controlled XML payload. This affects all XML parsing in the codebase. This issue has been addressed in version 0.28.1. All users are advised to upgrade. The only known workaround is to patch the library manually. See `GHSA-8h9c-r582-mggc` for details.
OSV
OWSLib vulnerable to XML External Entity (XXE) Injection
osv·2023-03-07
CVE-2023-27476 [HIGH] OWSLib vulnerable to XML External Entity (XXE) Injection
OWSLib vulnerable to XML External Entity (XXE) Injection
### Impact
OWSLib's XML parser (which supports both `lxml` and `xml.etree`) does not disable entity resolution for `lxml`, and could lead to arbitrary file reads from an attacker-controlled XML payload. This affects all XML parsing in the codebase.
### Patches
- Use only lxml for XML handling, adding `resolve_entities=False` to `lxml`'s parser: https://github.com/geopython/OWSLib/pull/863
### Workarounds
```python
patch_well_known_namespaces(etree)
etree.set_default_parser(
parser=etree.XMLParser(resolve_entities=False)
)
```
### References
- [`GHSL-2022-131`](https://securitylab.github.com/advisories/GHSL-2022-131_OWSLib/)
GHSA
OWSLib vulnerable to XML External Entity (XXE) Injection
ghsa·2023-03-07
CVE-2023-27476 [HIGH] CWE-611 OWSLib vulnerable to XML External Entity (XXE) Injection
OWSLib vulnerable to XML External Entity (XXE) Injection
### Impact
OWSLib's XML parser (which supports both `lxml` and `xml.etree`) does not disable entity resolution for `lxml`, and could lead to arbitrary file reads from an attacker-controlled XML payload. This affects all XML parsing in the codebase.
### Patches
- Use only lxml for XML handling, adding `resolve_entities=False` to `lxml`'s parser: https://github.com/geopython/OWSLib/pull/863
### Workarounds
```python
patch_well_known_namespaces(etree)
etree.set_default_parser(
parser=etree.XMLParser(resolve_entities=False)
)
```
### References
- [`GHSL-2022-131`](https://securitylab.github.com/advisories/GHSL-2022-131_OWSLib/)
Ubuntu
OWSLib vulnerability
vendor_ubuntu·2026-05-07
CVE-2023-27476 OWSLib vulnerability
Title: OWSLib vulnerability
Summary: OWSLib could be made to expose sensitive information.
It was discovered that OWSLib did not properly disable entity resolution
within its XML parser. An attacker could possibly use this issue to read
arbitrary files via a crafted XML payload.
Instructions: In general, a standard system update will make all the necessary changes.
Debian
CVE-2023-27476: owslib - OWSLib is a Python package for client programming with Open Geospatial Consortiu...
vendor_debian·2023·CVSS 8.2
CVE-2023-27476 [HIGH] CVE-2023-27476: owslib - OWSLib is a Python package for client programming with Open Geospatial Consortiu...
OWSLib is a Python package for client programming with Open Geospatial Consortium (OGC) web service interface standards, and their related content models. OWSLib's XML parser (which supports both `lxml` and `xml.etree`) does not disable entity resolution, and could lead to arbitrary file reads from an attacker-controlled XML payload. This affects all XML parsing in the codebase. This issue has been addressed in version 0.28.1. All users are advised to upgrade. The only known workaround is to patch the library manually. See `GHSA-8h9c-r582-mggc` for details.
Scope: local
bookworm: resolved (fixed in 0.27.2-3)
bullseye: resolved (fixed in 0.23.0-1+deb11u1)
forky: resolved (fixed in 0.27.2-3)
sid: resolved (fixed in 0.27.2-3)
trixie: resolved (fixed in 0.27.2-3)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/geopython/OWSLib/pull/863/commits/b92687702be9576c0681bb11cad21eb631b9122fhttps://github.com/geopython/OWSLib/security/advisories/GHSA-8h9c-r582-mggchttps://lists.debian.org/debian-lts-announce/2023/06/msg00032.htmlhttps://securitylab.github.com/advisories/GHSL-2022-131_owslib/https://www.debian.org/security/2023/dsa-5426https://github.com/geopython/OWSLib/pull/863/commits/b92687702be9576c0681bb11cad21eb631b9122fhttps://github.com/geopython/OWSLib/security/advisories/GHSA-8h9c-r582-mggchttps://lists.debian.org/debian-lts-announce/2023/06/msg00032.htmlhttps://securitylab.github.com/advisories/GHSL-2022-131_owslib/https://www.debian.org/security/2023/dsa-5426
2023-03-08
Published