CVE-2022-48565 - OpenCVE

An XML External Entity (XXE) issue was discovered in Python through 3.9.1. The plistlib module no longer accepts entity declarations in XML plist files to avoid XML vulnerabilities.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Debian	Debian Linux
Python	Python
Redhat	Enterprise Linux

Configuration 1 [-]

OR	cpe:2.3:a:python:python::::::::
	cpe:2.3:a:python:python::::::::
	cpe:2.3:a:python:python::::::::
	cpe:2.3:a:python:python::::::::

Configuration 2 [-]

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 8
python27:2.7-8100020240208011952.5f0f67de	cpe:/a:redhat:enterprise_linux:8	RHSA-2024:2987	2024-05-22T00:00:00Z

References

Link	Providers
https://bugs.python.org/issue42051
https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html
https://lists.debian.org/debian-lts-announce/2023/10/msg00017.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AFHYAGWBFBNUGWU6XWKBHTCV5NH77MB7/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BAYWJD576JUKLHCWKDLMJSUGTRDKPF3M/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KZRZRJHWLZ7MOJNPQBWGJVXMVYDC5BRA/
https://nvd.nist.gov/vuln/detail/CVE-2022-48565
https://security.netapp.com/advisory/ntap-20231006-0007/
https://www.cve.org/CVERecord?id=CVE-2022-48565

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2023-08-22T00:00:00

Updated: 2024-08-03T15:17:54.848Z

Reserved: 2023-07-23T00:00:00

Link: CVE-2022-48565

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-08-22T19:16:32.007

Modified: 2023-11-07T03:56:34.770

Link: CVE-2022-48565

Redhat

Severity : Moderate

Publid Date: 2023-08-22T00:00:00Z

Links: CVE-2022-48565 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-48565", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-03T15:17:54.848Z", "dateReserved": "2023-07-23T00:00:00", "datePublished": "2023-08-22T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-11-03T21:07:30.286188"}, "descriptions": [{"lang": "en", "value": "An XML External Entity (XXE) issue was discovered in Python through 3.9.1. The plistlib module no longer accepts entity declarations in XML plist files to avoid XML vulnerabilities."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://bugs.python.org/issue42051"}, {"name": "[debian-lts-announce] 20230920 [SECURITY] [DLA 3575-1] python2.7 security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html"}, {"url": "https://security.netapp.com/advisory/ntap-20231006-0007/"}, {"name": "[debian-lts-announce] 20231011 [SECURITY] [DLA 3614-1] python3.7 security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00017.html"}, {"name": "FEDORA-2023-e47078af3e", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KZRZRJHWLZ7MOJNPQBWGJVXMVYDC5BRA/"}, {"name": "FEDORA-2023-348a0dbcf3", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AFHYAGWBFBNUGWU6XWKBHTCV5NH77MB7/"}, {"name": "FEDORA-2023-ea38857cc3", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BAYWJD576JUKLHCWKDLMJSUGTRDKPF3M/"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T15:17:54.848Z"}, "title": "CVE Program Container", "references": [{"url": "https://bugs.python.org/issue42051", "tags": ["x_transferred"]}, {"name": "[debian-lts-announce] 20230920 [SECURITY] [DLA 3575-1] python2.7 security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html"}, {"url": "https://security.netapp.com/advisory/ntap-20231006-0007/", "tags": ["x_transferred"]}, {"name": "[debian-lts-announce] 20231011 [SECURITY] [DLA 3614-1] python3.7 security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00017.html"}, {"name": "FEDORA-2023-e47078af3e", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KZRZRJHWLZ7MOJNPQBWGJVXMVYDC5BRA/"}, {"name": "FEDORA-2023-348a0dbcf3", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AFHYAGWBFBNUGWU6XWKBHTCV5NH77MB7/"}, {"name": "FEDORA-2023-ea38857cc3", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BAYWJD576JUKLHCWKDLMJSUGTRDKPF3M/"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*", "matchCriteriaId": "BB8842D9-B554-4B83-9E2E-0FAF292E448A", "versionEndExcluding": "3.6.13", "vulnerable": true}, {"criteria": "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*", "matchCriteriaId": "EEB52F35-D464-4C26-A253-1B96B2A4921A", "versionEndExcluding": "3.7.10", "versionStartIncluding": "3.7.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*", "matchCriteriaId": "0B3EA658-770C-4707-814A-494492D8962F", "versionEndExcluding": "3.8.7", "versionStartIncluding": "3.8.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*", "matchCriteriaId": "B6D7EFB7-52A8-4C10-B5F9-6F599F94CDC7", "versionEndExcluding": "3.9.1", "versionStartIncluding": "3.9.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An XML External Entity (XXE) issue was discovered in Python through 3.9.1. The plistlib module no longer accepts entity declarations in XML plist files to avoid XML vulnerabilities."}], "id": "CVE-2022-48565", "lastModified": "2023-11-07T03:56:34.770", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-08-22T19:16:32.007", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Issue Tracking", "Patch", "Vendor Advisory"], "url": "https://bugs.python.org/issue42051"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html"}, {"source": "cve@mitre.org", "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00017.html"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AFHYAGWBFBNUGWU6XWKBHTCV5NH77MB7/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BAYWJD576JUKLHCWKDLMJSUGTRDKPF3M/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KZRZRJHWLZ7MOJNPQBWGJVXMVYDC5BRA/"}, {"source": "cve@mitre.org", "url": "https://security.netapp.com/advisory/ntap-20231006-0007/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-611"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2024:2987", "cpe": "cpe:/a:redhat:enterprise_linux:8", "impact": "moderate", "package": "python27:2.7-8100020240208011952.5f0f67de", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-05-22T00:00:00Z"}], "bugzilla": {"description": "python: XML External Entity in XML processing plistlib module", "id": "2240059", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2240059"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.8", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-611", "details": ["An XML External Entity (XXE) issue was discovered in Python through 3.9.1. The plistlib module no longer accepts entity declarations in XML plist files to avoid XML vulnerabilities.", "A flaw was found in Python caused by improper handling of XML external entity (XXE) declarations by the plistlib module. By using a specially crafted XML content, an attacker could obtain sensitive information by disclosing files specified by parsing URI, and may cause denial of service by resource exhaustion."], "mitigation": {"lang": "en:us", "value": "The XML modules in python are not secure against erroneous or maliciously constructed data. If you need to parse untrusted or unauthenticated data, see the XML vulnerabilities and the defusedxml package sections. \nhttps://docs.python.org/dev/library/xml.html"}, "name": "CVE-2022-48565", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "impact": "moderate", "package_name": "python", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "impact": "moderate", "package_name": "python", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "impact": "moderate", "package_name": "python3", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "impact": "moderate", "package_name": "gimp:flatpak/python2", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "impact": "moderate", "package_name": "inkscape:flatpak/python2", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "python3", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "python3.11", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "impact": "moderate", "package_name": "python36:3.6/python36", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "python39:3.9/python39", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "python3.11", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "impact": "moderate", "package_name": "python3.9", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Not affected", "impact": "moderate", "package_name": "rh-python38-python", "product_name": "Red Hat Software Collections"}], "public_date": "2023-08-22T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-48565\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-48565"], "statement": "This vulnerability is classified as Moderate according to Red Hat's Severity Rating Classification, as in contrast to an Important severity rating, the conditions to exploit this vulnerability makes it highly improbable for a general remote use case to lead to arbitrary code execution or affect data integrity and the highest impact is data disclosure and application crash.\nThe versions of python as shipped with Red Hat Enterprise Linux 8 and Red Hat Enterprise Linux 9 either has fixed code or they just provide `symlinks` to the main `python3` component, which provides the interpreter of the Python programming language. Therefore, both Red Hat Enterprise Linux versions 8 and 9 are not affected.\nhttps://access.redhat.com/security/updates/classification", "threat_severity": "Moderate", "upstream_fix": "python 3.10.0a2, python 3.9.1rc, python 3.8.7rc1, python 3.7.10, python 3.6.13"}