PT-2022-7024 · Python+10 · Python+10

Published

2019-05-07

·

Updated

2026-02-21

·

CVE-2022-48565

CVSS v2.0

10

Critical

VectorAV:N/AC:L/Au:N/C:C/I:C/A:C
Name of the Vulnerable Software and Affected Versions Python versions prior to 3.9.1 Python version 3.8.7 and earlier
Description The issue is related to an XML External Entity (XXE) problem in the plistlib module of the Python programming language interpreter. This is due to the incorrect restriction of XML links to external objects. Exploitation of the issue may allow a remote attacker to conduct XXE attacks. The plistlib module no longer accepts entity declarations in XML plist files to avoid XML vulnerabilities.
Recommendations For Python versions prior to 3.9.1, update to version 3.9.1 or later to resolve the issue. For Python version 3.8 lineage, update to version 3.8.7 or later to resolve the issue. As a temporary workaround, consider disabling the use of entity declarations in XML plist files for the plistlib module until a patch is available. Restrict access to the plistlib module to minimize the risk of exploitation.

Exploit

Fix

XXE

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-611

Related Identifiers

ALSA-2019_0981
ALSA-2019_3335
ALSA-2020_1605
ALSA-2020_4641
ALSA-2020_4654
ALSA-2021_1761
ALSA-2021_1879
ALSA-2021_4151
ALSA-2021_4160
ALSA-2021_4162
ALSA-2021_4399
ALSA-2022_1642
ALSA-2022_1764
ALSA-2022_1821
ALSA-2022_1986
ALSA-2022_2201
ALSA-2022_6457
ALSA-2022_7323
ALSA-2022_7581
ALSA-2022_7592
ALSA-2022_7593
ALSA-2022_7813
ALSA-2022_8353
ALSA-2022_8420
ALSA-2022_8492
ALSA-2022_8493
ALSA-2023_0833
ALSA-2023_0835
ALSA-2023_0952
ALSA-2023_0953
ALSA-2023_2763
ALSA-2023_2764
ALSA-2023_2860
ALSA-2023_3585
ALSA-2023_3591
ALSA-2023_3594
ALSA-2023_3595
ALSA-2023_3780
ALSA-2023_3781
ALSA-2023_3811
ALSA-2023_5456
ALSA-2023_5462
ALSA-2023_5463
ALSA-2023_5994
ALSA-2023_5997
ALSA-2023_5998
ALSA-2023_6494
ALSA-2023_7024
ALSA-2023_7753
ALSA-2024:2987
ALSA-2024_0114
ALSA-2024_0116
ALSA-2024_0133
ALSA-2024_0256
ALSA-2024_0464
ALSA-2024_0466
ALSA-2024_1530
ALSA-2024_2132
ALSA-2024_2159
ALSA-2024_2292
ALSA-2024_2348
ALSA-2024_2985
ALSA-2024_2986
ALSA-2024_2987
ALSA-2024_3062
ALSA-2024_3347
ALSA-2024_3466
ALSA-2024_4058
ALSA-2024_4077
ALSA-2024_4078
ALSA-2024_4243
ALSA-2024_6754
ALSA-2024_6989
ALSA-2024_8922
ALSA-2024_9190
ALSA-2024_9192
ALSA-2025_0733
ALSA-2025_0925
ALSA-2025_16880
ALSA-2025_21776
ALSA-2025_21974
ALSA-2025_22175
ALSA-2025_23342
ALSA-2025_23530
ALSA-2025_3531
ALSA-2025_3913
ALSA-2025_7444
ALT-PU-2024-3474
BDU:2023-06655
BIT-LIBPYTHON-2022-48565
BIT-PYTHON-2022-48565
BIT-PYTHON-MIN-2022-48565
CESA-2024_2987
CVE-2022-48565
DLA-3575-1
DLA-3614-1
ELSA-2024-2987
GHSA-CRHM-WC96-7579
INFSA-2024_2987
MGASA-2024-0084
OESA-2023-1597
OESA-2023-1598
OPENSUSE-SU-2023_4220-1
OPENSUSE-SU-2024:13253-1
PSF-2023-5
RHSA-2024:2987
RHSA-2024_2987
RLSA-2024_2987
ROSA-SA-2025-2646
SUSE-SU-2023:4001-1
SUSE-SU-2023:4220-1
SUSE-SU-2023_4001-1
USN-6354-1
USN-6891-1
USN-7180-1

Affected Products

Alt Linux
Almalinux
Astra Linux
Centos
Linuxmint
Python
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu