CVE-2023-27476

NameCVE-2023-27476
DescriptionOWSLib is a Python package for client programming with Open Geospatial Consortium (OGC) web service interface standards, and their related content models. OWSLib's XML parser (which supports both `lxml` and `xml.etree`) does not disable entity resolution, and could lead to arbitrary file reads from an attacker-controlled XML payload. This affects all XML parsing in the codebase. This issue has been addressed in version 0.28.1. All users are advised to upgrade. The only known workaround is to patch the library manually. See `GHSA-8h9c-r582-mggc` for details.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3470-1, DSA-5426-1
Debian Bugs1034182

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
owslib (PTS)buster0.17.1-1vulnerable
buster (security)0.17.1-1+deb10u1fixed
bullseye0.23.0-1vulnerable
bullseye (security)0.23.0-1+deb11u1fixed
bookworm0.27.2-3fixed
sid, trixie0.29.2-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
owslibsourceexperimental0.28.1-1~exp1
owslibsourcebuster0.17.1-1+deb10u1DLA-3470-1
owslibsourcebullseye0.23.0-1+deb11u1DSA-5426-1
owslibsource(unstable)0.27.2-31034182

Notes

https://github.com/geopython/OWSLib/commit/d91267303a695d69e73fa71efa100a035852a063 (0.29.0)
https://github.com/geopython/OWSLib/commit/b0c687544ddc213d8dcd4a056139b63451938b21 (0.28.1)
https://github.com/geopython/OWSLib/security/advisories/GHSA-8h9c-r582-mggc
https://securitylab.github.com/advisories/GHSL-2022-131_OWSLib/
Search for package or bug name: Reporting problems