Pypi · Pikepdf · CVE-2021-29421
Name of the Vulnerable Software and Affected Versions:
pikepdf versions 1.3.0 through 2.9.2
Description:
The issue allows XXE (XML External Entity) attacks when parsing XMP metadata entries in the `models/metadata.py` file of the pikepdf package for Python. This occurs due to improper handling of XML external entities, potentially leading to data exposure or other security issues.
Recommendations:
For pikepdf versions 1.3.0 through 2.9.2, update to a version that contains a fix for this issue to prevent XXE attacks when parsing XMP metadata entries.
At the moment, there is no information about a newer version that contains a fix for this vulnerability.