How severe is CVE-2023-27476?

This vulnerability has a severity rating of HIGH with a CVSS score of 7.5 out of 10.

What type of vulnerability is CVE-2023-27476?

This is classified as CWE-611, which is a common weakness in software security.

CVE-2023-27476 - HIGH Severity | CVSS 7.5

Vulnerability Description

OWSLib is a Python package for client programming with Open Geospatial Consortium (OGC) web service interface standards, and their related content models. OWSLib's XML parser (which supports both `lxml` and `xml.etree`) does not disable entity resolution, and could lead to arbitrary file reads from an attacker-controlled XML payload. This affects all XML parsing in the codebase. This issue has been addressed in version 0.28.1. All users are advised to upgrade. The only known workaround is to patch the library manually. See `GHSA-8h9c-r582-mggc` for details.

Related Vulnerabilities

CVE-2005-1306

HIGH

CVSS:7.5(High)

The Adobe Reader control in Adobe Reader and Acrobat 7.0 and 7.0.1 allows remote attackers to determine the existence of files via Javascript containing XML script, aka the "XML External Entity vulner...

CWE-6112005

CVE-2009-1699

HIGH

CVSS:7.5(High)

The XSL stylesheet implementation in WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch 1.1 through 2.2.1 does not properly handle XML external entities, whic...

CWE-6112009

CVE-2011-3600

HIGH

CVSS:7.5(High)

The /webtools/control/xmlrpc endpoint in OFBiz XML-RPC event handler is exposed to External Entity Injection by passing DOCTYPE declarations with executable payloads that discloses the contents of fil...

CWE-6112011

CVE-2012-1102

HIGH

CVSS:7.5(High)

It was discovered that the XML::Atom Perl module before version 0.39 did not disable external entities when parsing XML from potentially untrusted sources. This may allow attackers to gain read access...

CWE-6112012

CVE-2012-2656

HIGH

CVSS:7.5(High)

An XML eXternal Entity (XXE) issue exists in Restlet 1.1.10 in an endpoint using XML transport, which lets a remote attacker obtain sensitive information.

CWE-6112012

CVE-2012-4399

HIGH

CVSS:7.5(High)

The Xml class in CakePHP 2.1.x before 2.1.5 and 2.2.x before 2.2.1 allows remote attackers to read arbitrary files via XML data containing external entity references, aka an XML external entity (XXE) ...

CWE-6112012