CVE-2022-37189 DDMAL MEI2Volpiano 0.8.2 is vulnerable to XML External Entity (XXE), leading to a Denial of Service

If external entities are not prevented from being loaded into an application, then they can be used to corrupt data or cause other problems. For example, a malicious user can inject malicious external data into the application that can be used to cause DoS or simply cause problems for the application. Therefore, it is important to avoid using unsafe functions to parse untrusted data. xt:xml allows the usage of custom entities, but there are some things to be aware of. First, the xt:xml directive can only be used in modules. Second, it cannot be used with inline data. By using the xt:xml directive in the root of your application, it will be loaded before other modules. Therefore, it will be the only module that is loaded and parsed. Now that we know that xt:xml is the only module loaded, let’s see what happens when we try to parse untrusted data using xt:xml. xt:xml will parse the data that is passed to it, and convert it into a Python dict. Now that we have a dict of our data, we can do anything we want with it. To prevent XXE, we must limit the usage of unsafe functions to parse data. There are several functions that can be used for parsing untrusted data. xt:fromjson is a safe function that can be used for parsing untrusted data. Another way to prevent XXE is to use the data type of

What is XXE?

The term XXE stands for XML Entity Expansion. It is when an application is vulnerable to external entities that are embedded in the application. The entity can then be parsed, which means that it can be used to cause DoS or simply cause problems for the application. xt:xml will parse the data that is passed to it, and convert it into a Python dict. Now that we have a dict of our data, we can do anything we want with it. To prevent XXE, we must limit the usage of unsafe functions to parse data. There are several functions that can be used for parsing untrusted data. xt:fromjson is a safe function that can be used for parsing untrusted data. Another way to prevent XXE is to use the data type of JsonDict instead of using xt:xml

Timeline

Published on: 09/07/2022 13:15:00 UTC
Last modified on: 09/10/2022 02:43:00 UTC

References

• https://github.com/DDMAL/MEI2Volpiano/
• https://docs.python.org/3/library/xml.html#xml-vulnerabilities
• https://pyup.io/vulnerabilities/CVE-2022-37189/50928/
• https://github.com/DDMAL/MEI2Volpiano/blob/987b70fff991235e682405f901388af0f414eaa8/mei2volpiano/mei2volpiano.py#L59
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-37189