Описание
An XML External Entity (XXE) issue was discovered in Python through 3.9.1. The plistlib module no longer accepts entity declarations in XML plist files to avoid XML vulnerabilities.
A flaw was found in Python caused by improper handling of XML external entity (XXE) declarations by the plistlib module. By using a specially crafted XML content, an attacker could obtain sensitive information by disclosing files specified by parsing URI, and may cause denial of service by resource exhaustion.
Отчет
This vulnerability is classified as Moderate according to Red Hat's Severity Rating Classification, as in contrast to an Important severity rating, the conditions to exploit this vulnerability makes it highly improbable for a general remote use case to lead to arbitrary code execution or affect data integrity and the highest impact is data disclosure and application crash.
The versions of python as shipped with Red Hat Enterprise Linux 8 and Red Hat Enterprise Linux 9 either has fixed code or they just provide symlinks to the main python3 component, which provides the interpreter of the Python programming language. Therefore, both Red Hat Enterprise Linux versions 8 and 9 are not affected.
https://access.redhat.com/security/updates/classification
Меры по смягчению последствий
The XML modules in python are not secure against erroneous or maliciously constructed data. If you need to parse untrusted or unauthenticated data, see the XML vulnerabilities and the defusedxml package sections. https://docs.python.org/dev/library/xml.html
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | python | Out of support scope | ||
| Red Hat Enterprise Linux 7 | python | Out of support scope | ||
| Red Hat Enterprise Linux 7 | python3 | Out of support scope | ||
| Red Hat Enterprise Linux 8 | gimp:flatpak/python2 | Affected | ||
| Red Hat Enterprise Linux 8 | inkscape:flatpak/python2 | Will not fix | ||
| Red Hat Enterprise Linux 8 | python3 | Not affected | ||
| Red Hat Enterprise Linux 8 | python3.11 | Not affected | ||
| Red Hat Enterprise Linux 8 | python36:3.6/python36 | Not affected | ||
| Red Hat Enterprise Linux 8 | python39:3.9/python39 | Not affected | ||
| Red Hat Enterprise Linux 9 | python3.11 | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
7.8 High
CVSS3
Связанные уязвимости
An XML External Entity (XXE) issue was discovered in Python through 3.9.1. The plistlib module no longer accepts entity declarations in XML plist files to avoid XML vulnerabilities.
An XML External Entity (XXE) issue was discovered in Python through 3.9.1. The plistlib module no longer accepts entity declarations in XML plist files to avoid XML vulnerabilities.
An XML External Entity (XXE) issue was discovered in Python through 3. ...
An XML External Entity (XXE) issue was discovered in Python through 3.9.1. The plistlib module no longer accepts entity declarations in XML plist files to avoid XML vulnerabilities.
Уязвимость модуля plistlib интерпретатора языка программирования Python, позволяющая нарушителю проводить XXE-атаки
EPSS
7.8 High
CVSS3