CVE-2021-39371

NameCVE-2021-39371
DescriptionAn XML external entity (XXE) injection in PyWPS before 4.4.5 allows an attacker to view files on the application server filesystem by assigning a path to the entity. OWSLib 0.24.1 may also be affected.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2754-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
pywps (PTS)buster4.2.1-1vulnerable
bullseye4.2.11-1vulnerable
bookworm4.5.2-1fixed
sid4.5.2-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
pywpssourcestretch4.0.0-3+deb9u1DLA-2754-1
pywpssource(unstable)4.5.0-1

Notes

[bullseye] - pywps <no-dsa> (Minor issue)
[buster] - pywps <no-dsa> (Minor issue)
https://github.com/geopython/OWSLib/issues/790
https://github.com/geopython/pywps/pull/616

Search for package or bug name: Reporting problems