CVE-2023-27476

NameCVE-2023-27476
DescriptionOWSLib is a Python package for client programming with Open Geospatial Consortium (OGC) web service interface standards, and their related content models. OWSLib's XML parser (which supports both `lxml` and `xml.etree`) does not disable entity resolution, and could lead to arbitrary file reads from an attacker-controlled XML payload. This affects all XML parsing in the codebase. This issue has been addressed in version 0.28.1. All users are advised to upgrade. The only known workaround is to patch the library manually. See `GHSA-8h9c-r582-mggc` for details.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
owslib (PTS)buster0.17.1-1vulnerable
bullseye0.23.0-1vulnerable
bookworm, sid0.27.2-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
owslibsourceexperimental0.28.1-1~exp1
owslibsource(unstable)(unfixed)

Notes

https://github.com/geopython/OWSLib/commit/d91267303a695d69e73fa71efa100a035852a063

Search for package or bug name: Reporting problems