{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-48565", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-10-03T17:41:29.341Z", "dateReserved": "2023-07-23T00:00:00", "datePublished": "2023-08-22T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-11-03T21:07:30.286188"}, "descriptions": [{"lang": "en", "value": "An XML External Entity (XXE) issue was discovered in Python through 3.9.1. The plistlib module no longer accepts entity declarations in XML plist files to avoid XML vulnerabilities."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://bugs.python.org/issue42051"}, {"name": "[debian-lts-announce] 20230920 [SECURITY] [DLA 3575-1] python2.7 security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html"}, {"url": "https://security.netapp.com/advisory/ntap-20231006-0007/"}, {"name": "[debian-lts-announce] 20231011 [SECURITY] [DLA 3614-1] python3.7 security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00017.html"}, {"name": "FEDORA-2023-e47078af3e", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KZRZRJHWLZ7MOJNPQBWGJVXMVYDC5BRA/"}, {"name": "FEDORA-2023-348a0dbcf3", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AFHYAGWBFBNUGWU6XWKBHTCV5NH77MB7/"}, {"name": "FEDORA-2023-ea38857cc3", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BAYWJD576JUKLHCWKDLMJSUGTRDKPF3M/"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T15:17:54.848Z"}, "title": "CVE Program Container", "references": [{"url": "https://bugs.python.org/issue42051", "tags": ["x_transferred"]}, {"name": "[debian-lts-announce] 20230920 [SECURITY] [DLA 3575-1] python2.7 security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html"}, {"url": "https://security.netapp.com/advisory/ntap-20231006-0007/", "tags": ["x_transferred"]}, {"name": "[debian-lts-announce] 20231011 [SECURITY] [DLA 3614-1] python3.7 security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00017.html"}, {"name": "FEDORA-2023-e47078af3e", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KZRZRJHWLZ7MOJNPQBWGJVXMVYDC5BRA/"}, {"name": "FEDORA-2023-348a0dbcf3", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AFHYAGWBFBNUGWU6XWKBHTCV5NH77MB7/"}, {"name": "FEDORA-2023-ea38857cc3", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BAYWJD576JUKLHCWKDLMJSUGTRDKPF3M/"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-03T17:41:12.006540Z", "id": "CVE-2022-48565", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-03T17:41:29.341Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://bugs.python.org/issue42051", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html", "name": "[debian-lts-announce] 20230920 [SECURITY] [DLA 3575-1] python2.7 security update", "tags": ["mailing-list", "x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20231006-0007/", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00017.html", "name": "[debian-lts-announce] 20231011 [SECURITY] [DLA 3614-1] python3.7 security update", "tags": ["mailing-list", "x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KZRZRJHWLZ7MOJNPQBWGJVXMVYDC5BRA/", "name": "FEDORA-2023-e47078af3e", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AFHYAGWBFBNUGWU6XWKBHTCV5NH77MB7/", "name": "FEDORA-2023-348a0dbcf3", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BAYWJD576JUKLHCWKDLMJSUGTRDKPF3M/", "name": "FEDORA-2023-ea38857cc3", "tags": ["vendor-advisory", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T15:17:54.848Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-48565", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-10-03T17:41:12.006540Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-03T17:41:22.644Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://bugs.python.org/issue42051"}, {"url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html", "name": "[debian-lts-announce] 20230920 [SECURITY] [DLA 3575-1] python2.7 security update", "tags": ["mailing-list"]}, {"url": "https://security.netapp.com/advisory/ntap-20231006-0007/"}, {"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00017.html", "name": "[debian-lts-announce] 20231011 [SECURITY] [DLA 3614-1] python3.7 security update", "tags": ["mailing-list"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KZRZRJHWLZ7MOJNPQBWGJVXMVYDC5BRA/", "name": "FEDORA-2023-e47078af3e", "tags": ["vendor-advisory"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AFHYAGWBFBNUGWU6XWKBHTCV5NH77MB7/", "name": "FEDORA-2023-348a0dbcf3", "tags": ["vendor-advisory"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BAYWJD576JUKLHCWKDLMJSUGTRDKPF3M/", "name": "FEDORA-2023-ea38857cc3", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en", "value": "An XML External Entity (XXE) issue was discovered in Python through 3.9.1. The plistlib module no longer accepts entity declarations in XML plist files to avoid XML vulnerabilities."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-11-03T21:07:30.286188"}}}, "cveMetadata": {"cveId": "CVE-2022-48565", "state": "PUBLISHED", "dateUpdated": "2024-10-03T17:41:29.341Z", "dateReserved": "2023-07-23T00:00:00", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2023-08-22T00:00:00", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*", "matchCriteriaId": "BB8842D9-B554-4B83-9E2E-0FAF292E448A", "versionEndExcluding": "3.6.13", "vulnerable": true}, {"criteria": "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*", "matchCriteriaId": "EEB52F35-D464-4C26-A253-1B96B2A4921A", "versionEndExcluding": "3.7.10", "versionStartIncluding": "3.7.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*", "matchCriteriaId": "0B3EA658-770C-4707-814A-494492D8962F", "versionEndExcluding": "3.8.7", "versionStartIncluding": "3.8.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*", "matchCriteriaId": "B6D7EFB7-52A8-4C10-B5F9-6F599F94CDC7", "versionEndExcluding": "3.9.1", "versionStartIncluding": "3.9.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An XML External Entity (XXE) issue was discovered in Python through 3.9.1. The plistlib module no longer accepts entity declarations in XML plist files to avoid XML vulnerabilities."}], "id": "CVE-2022-48565", "lastModified": "2024-11-21T07:33:30.950", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-08-22T19:16:32.007", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Issue Tracking", "Patch", "Vendor Advisory"], "url": "https://bugs.python.org/issue42051"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html"}, {"source": "cve@mitre.org", "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00017.html"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AFHYAGWBFBNUGWU6XWKBHTCV5NH77MB7/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BAYWJD576JUKLHCWKDLMJSUGTRDKPF3M/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KZRZRJHWLZ7MOJNPQBWGJVXMVYDC5BRA/"}, {"source": "cve@mitre.org", "url": "https://security.netapp.com/advisory/ntap-20231006-0007/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Issue Tracking", "Patch", "Vendor Advisory"], "url": "https://bugs.python.org/issue42051"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00017.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AFHYAGWBFBNUGWU6XWKBHTCV5NH77MB7/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BAYWJD576JUKLHCWKDLMJSUGTRDKPF3M/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KZRZRJHWLZ7MOJNPQBWGJVXMVYDC5BRA/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.netapp.com/advisory/ntap-20231006-0007/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-611"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2024:2987", "cpe": "cpe:/a:redhat:enterprise_linux:8", "impact": "moderate", "package": "python27:2.7-8100020240208011952.5f0f67de", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-05-22T00:00:00Z"}], "bugzilla": {"description": "python: XML External Entity in XML processing plistlib module", "id": "2240059", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2240059"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.8", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-611", "details": ["An XML External Entity (XXE) issue was discovered in Python through 3.9.1. The plistlib module no longer accepts entity declarations in XML plist files to avoid XML vulnerabilities.", "A flaw was found in Python caused by improper handling of XML external entity (XXE) declarations by the plistlib module. By using a specially crafted XML content, an attacker could obtain sensitive information by disclosing files specified by parsing URI, and may cause denial of service by resource exhaustion."], "mitigation": {"lang": "en:us", "value": "The XML modules in python are not secure against erroneous or maliciously constructed data. If you need to parse untrusted or unauthenticated data, see the XML vulnerabilities and the defusedxml package sections. \nhttps://docs.python.org/dev/library/xml.html"}, "name": "CVE-2022-48565", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "impact": "moderate", "package_name": "python", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "impact": "moderate", "package_name": "python", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "impact": "moderate", "package_name": "python3", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "impact": "moderate", "package_name": "gimp:flatpak/python2", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "impact": "moderate", "package_name": "inkscape:flatpak/python2", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "python3", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "python3.11", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "impact": "moderate", "package_name": "python36:3.6/python36", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "python39:3.9/python39", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "python3.11", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "impact": "moderate", "package_name": "python3.9", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Not affected", "impact": "moderate", "package_name": "rh-python38-python", "product_name": "Red Hat Software Collections"}], "public_date": "2023-08-22T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-48565\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-48565"], "statement": "This vulnerability is classified as Moderate according to Red Hat's Severity Rating Classification, as in contrast to an Important severity rating, the conditions to exploit this vulnerability makes it highly improbable for a general remote use case to lead to arbitrary code execution or affect data integrity and the highest impact is data disclosure and application crash.\nThe versions of python as shipped with Red Hat Enterprise Linux 8 and Red Hat Enterprise Linux 9 either has fixed code or they just provide `symlinks` to the main `python3` component, which provides the interpreter of the Python programming language. Therefore, both Red Hat Enterprise Linux versions 8 and 9 are not affected.\nhttps://access.redhat.com/security/updates/classification", "threat_severity": "Moderate", "upstream_fix": "python 3.10.0a2, python 3.9.1rc, python 3.8.7rc1, python 3.7.10, python 3.6.13"}