CVE-2023-27476

Name of the Vulnerable Software and Affected Versions OWSLib versions prior to 0.28.1

Description The XML parser in OWSLib does not disable entity resolution, which could lead to arbitrary file reads from an attacker-controlled XML payload. This issue affects all XML parsing in the codebase. The estimated number of potentially affected devices is not specified.

Recommendations For versions prior to 0.28.1, upgrade to version 0.28.1 to resolve the issue. As a temporary workaround, consider patching the library manually by setting resolve entities=False in lxml's parser or applying the provided patch to disable entity resolution for xml.etree. Restrict access to the XML parsing functionality to minimize the risk of exploitation until the issue is resolved.