CVE-2022-48565

CRITICAL

Python < 3.6.13 - XXE

Title source: rule

Description

An XML External Entity (XXE) issue was discovered in Python through 3.9.1. The plistlib module no longer accepts entity declarations in XML plist files to avoid XML vulnerabilities.

Exploits (1)

nomisec WORKING POC 3 stars

by Einstein2150 · poc

https://github.com/Einstein2150/CVE-2022-48565-POC

View Code ZIP pw:eip

References (7)

[Exploit, Issue Tracking, Patch, Vendor Advisory] https://bugs.python.org/issue42051

[Third Party Advisory] https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html

[Mailing List] https://lists.debian.org/debian-lts-announce/2023/10/msg00017.html

[Vendor Advisory] https://security.netapp.com/advisory/ntap-20231006-0007/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AFHYAGWBFBNUGWU6XWKBHTCV5NH77MB7/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BAYWJD576JUKLHCWKDLMJSUGTRDKPF3M/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KZRZRJHWLZ7MOJNPQBWGJVXMVYDC5BRA/

Scores

CVSS v3 9.8

EPSS 0.0727

EPSS Percentile 91.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-611

Status published

Affected Products (2)

python/python < 3.6.13

debian/debian_linux

Timeline

Published Aug 22, 2023

Tracked Since Feb 18, 2026