CVE-2020-29128
📋 TL;DR
CVE-2020-29128 is an XML External Entity (XXE) vulnerability in petl versions before 1.68 that allows attackers to read arbitrary files, conduct server-side request forgery (SSRF), or cause denial of service by exploiting XML entity resolution. This affects applications using petl's XML processing functionality with vulnerable configurations.
💻 Affected Systems
- petl
📦 What is this software?
Petl by Petl Project
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution, complete system compromise, or sensitive data exfiltration through XXE attacks.
Likely Case
Arbitrary file read, SSRF attacks to internal systems, or denial of service.
If Mitigated
Limited impact if XML parsing is disabled or external entity resolution is blocked.
🎯 Exploit Status
XXE vulnerabilities are well-understood with readily available exploit techniques.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.68 and later
Vendor Advisory: https://github.com/petl-developers/petl/compare/v1.6.7...v1.6.8
Restart Required: No
Instructions:
1. Update petl to version 1.68 or later using pip: pip install --upgrade petl>=1.68
2. Verify the update with: pip show petl
3. Test XML processing functionality after update.
🔧 Temporary Workarounds
Disable external entity resolution
allConfigure XML parser to disable external entity resolution and DTD processing
Configure XML parser with: parser.setFeature('http://xml.org/sax/features/external-general-entities', False)
parser.setFeature('http://xml.org/sax/features/external-parameter-entities', False)
parser.setFeature('http://apache.org/xml/features/disallow-doctype-decl', True)
🧯 If You Can't Patch
- Implement input validation to reject XML documents with DOCTYPE declarations
- Use network segmentation to isolate systems processing XML from untrusted sources
🔍 How to Verify
Check if Vulnerable:
Check petl version with: python -c "import petl; print(petl.__version__)" and verify if below 1.68Check Version:
python -c "import petl; print(petl.__version__)"Verify Fix Applied:
After updating, verify version is 1.68 or higher and test XML processing with known XXE payloads📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns from XML processing components
- XML parsing errors with external entity references
- Unexpected outbound network connections from XML processors
Network Indicators:
- HTTP requests to internal systems from XML processing servers
- Large XML payloads with DOCTYPE declarations
SIEM Query:
source="application_logs" AND ("DOCTYPE" OR "ENTITY" OR "SYSTEM") AND process="petl"🔗 References
- https://github.com/nvn1729/advisories/blob/master/cve-2020-29128.md
- https://github.com/petl-developers/petl/compare/v1.6.7...v1.6.8
- https://github.com/petl-developers/petl/issues/526
- https://github.com/petl-developers/petl/pull/527
- https://github.com/petl-developers/petl/pull/527/commits/1b0a09f08c3cdfe2e69647bd02f97c1367a5b5f8
- https://github.com/petl-developers/petl/security/advisories/GHSA-f5gc-p5m3-v347
- https://petl.readthedocs.io/en/stable/changes.html
- https://github.com/nvn1729/advisories/blob/master/cve-2020-29128.md
- https://github.com/petl-developers/petl/compare/v1.6.7...v1.6.8
- https://github.com/petl-developers/petl/issues/526
- https://github.com/petl-developers/petl/pull/527
- https://github.com/petl-developers/petl/pull/527/commits/1b0a09f08c3cdfe2e69647bd02f97c1367a5b5f8
- https://github.com/petl-developers/petl/security/advisories/GHSA-f5gc-p5m3-v347
- https://petl.readthedocs.io/en/stable/changes.html
