CVE-2020-29128

Name of the Vulnerable Software and Affected Versions petl versions prior to 1.68

Description The issue allows resolution of entities in an XML document, potentially leading to information disclosure. An attacker who can submit XML input to an application using petl can disclose arbitrary files on the file system in the context of the user under which the application is running. This can occur in applications that accept attacker-supplied XML input processed using petl, return the response generated by petl back to the attacker, configure lxml as the underlying XML processing library used by petl, and have read privileges in filesystem files with sensitive information.

Recommendations Update to petl version 1.68 or later. As a temporary workaround, assure there is no user or external access to the application using petl. Assure your application is not using the function fromxml().