CVE-2020-29128

CRITICAL

petl <1.68 - Info Disclosure

Title source: llm

Description

petl before 1.68, in some configurations, allows resolution of entities in an XML document.

References (7)

[Patch, Third Party Advisory] https://github.com/petl-developers/petl/pull/527

[Release Notes, Vendor Advisory] https://petl.readthedocs.io/en/stable/changes.html

[Issue Tracking, Third Party Advisory] https://github.com/petl-developers/petl/issues/526

[Patch, Third Party Advisory] https://github.com/petl-developers/petl/compare/v1.6.7...v1.6.8

[Patch, Third Party Advisory] https://github.com/petl-developers/petl/pull/527/commits/1b0a09f08c3cdfe2e69647bd02f97c1367a5b5f8

[Third Party Advisory] https://github.com/petl-developers/petl/security/advisories/GHSA-f5gc-p5m3-v347

[Third Party Advisory] https://github.com/nvn1729/advisories/blob/master/cve-2020-29128.md

View Writeup ZIP pw:eip

Scores

CVSS v3 9.8

EPSS 0.0188

EPSS Percentile 83.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-91

Status published

Products (2)

petl_project/petl < 1.6.8

pypi/petl 0 - 1.6.8PyPI

Published Nov 26, 2020

Tracked Since Feb 18, 2026