CVE-2022-48565
Severity CVSS v4.0:
Pending analysis
Type:
CWE-611
Improper Restriction of XML External Entity Reference ('XXE')
Publication date:
22/08/2023
Last modified:
07/11/2023
Description
An XML External Entity (XXE) issue was discovered in Python through 3.9.1. The plistlib module no longer accepts entity declarations in XML plist files to avoid XML vulnerabilities.
Impact
Base Score 3.x
9.80
Severity 3.x
CRITICAL
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:python:python:*:*:*:*:*:*:*:* | 3.6.13 (excluding) | |
| cpe:2.3:a:python:python:*:*:*:*:*:*:*:* | 3.7.0 (including) | 3.7.10 (excluding) |
| cpe:2.3:a:python:python:*:*:*:*:*:*:*:* | 3.8.0 (including) | 3.8.7 (excluding) |
| cpe:2.3:a:python:python:*:*:*:*:*:*:*:* | 3.9.0 (including) | 3.9.1 (excluding) |
| cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://bugs.python.org/issue42051
- https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html
- https://lists.debian.org/debian-lts-announce/2023/10/msg00017.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AFHYAGWBFBNUGWU6XWKBHTCV5NH77MB7/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BAYWJD576JUKLHCWKDLMJSUGTRDKPF3M/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KZRZRJHWLZ7MOJNPQBWGJVXMVYDC5BRA/
- https://security.netapp.com/advisory/ntap-20231006-0007/