CVE-2022-48565
CRITICAL9.8EPSS 7.3%Published: 8/22/2023Modified: 4/28/2026
Description
An XML External Entity (XXE) issue was discovered in Python through 3.9.1. The plistlib module no longer accepts entity declarations in XML plist files to avoid XML vulnerabilities.
Affected packages (6)
- Bitnami/libpythonfrom 0, < 3.6.13, >= 3.7.0, < 3.7.10, >= 3.8.0, < 3.8.7, >= 3.9.0, < 3.9.1
- Bitnami/pythonfrom 0, < 3.6.13, >= 3.7.0, < 3.7.10, >= 3.8.0, < 3.8.7, >= 3.9.0, < 3.9.1
- Bitnami/python-minfrom 0, < 3.6.13, >= 3.7.0, < 3.7.10, >= 3.8.0, < 3.8.7, >= 3.9.0, < 3.9.1
- Debian/pypy3from 0, < 7.3.5+dfsg-2
- Debian/python2.7from 0, < 2.7.18-8+deb11u1
- Debian/python3.9from 0, < 3.9.1~rc1-1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References (9)
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2022-48565
- WEBhttps://bugs.python.org/issue42051
- WEBhttps://lists.debian.org/debian-lts-announce/2023/09/msg00022.html
- WEBhttps://lists.debian.org/debian-lts-announce/2023/10/msg00017.html
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AFHYAGWBFBNUGWU6XWKBHTCV5NH77MB7/
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BAYWJD576JUKLHCWKDLMJSUGTRDKPF3M/
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KZRZRJHWLZ7MOJNPQBWGJVXMVYDC5BRA/
- WEBhttps://nvd.nist.gov/vuln/detail/CVE-2022-48565
- WEBhttps://security.netapp.com/advisory/ntap-20231006-0007/