CVE-2020-29128 : petl before 1.68, in some configurations, allows resolution of entities in an XM

petl before 1.68, in some configurations, allows resolution of entities in an XML document.

Published 2020-11-26 05:15:10

Updated 2020-12-03 16:48:48

Source MITRE

View at NVD, CVE.org

Products affected by CVE-2020-29128

Petl Project » Petl
Versions before (<) 1.6.8
cpe:2.3:a:petl_project:petl:*:*:*:*:*:*:*:*
Matching versions

EPSS FAQ

1.88%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 82 %

Percentile, the proportion of vulnerabilities that are scored at or less

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.8	MEDIUM	AV:N/AC:M/Au:N/C:P/I:P/A:P	8.6	6.4	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE-91 XML Injection (aka Blind XPath Injection)

The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.

Assigned by: nvd@nist.gov (Primary)

https://github.com/petl-developers/petl/issues/526

Security issue · Issue #526 · petl-developers/petl · GitHub
Issue Tracking;Third Party Advisory
https://petl.readthedocs.io/en/stable/changes.html

Changes — petl 1.6.8 documentation
Release Notes;Vendor Advisory
https://github.com/petl-developers/petl/compare/v1.6.7...v1.6.8

Comparing v1.6.7...v1.6.8 · petl-developers/petl · GitHub
Patch;Third Party Advisory
https://github.com/petl-developers/petl/pull/527

Added new parameter parser in fromxml() for custom parsers by juarezr · Pull Request #527 · petl-developers/petl · GitHub
Patch;Third Party Advisory
https://github.com/petl-developers/petl/pull/527/commits/1b0a09f08c3cdfe2e69647bd02f97c1367a5b5f8

Added new parameter parser in fromxml() for custom parsers by juarezr · Pull Request #527 · petl-developers/petl · GitHub
Patch;Third Party Advisory
https://github.com/petl-developers/petl/security/advisories/GHSA-f5gc-p5m3-v347

CVE-2020-29128: XXE in petl < 1.68 · Advisory · petl-developers/petl · GitHub
Third Party Advisory
https://github.com/nvn1729/advisories/blob/master/cve-2020-29128.md

advisories/cve-2020-29128.md at master · nvn1729/advisories · GitHub
Third Party Advisory

Jump to