CVE-2021-39371 – This CVE describes an XML External Entity (XXE)... (How to Fix)

📋 TL;DR

This CVE describes an XML External Entity (XXE) injection vulnerability in PyWPS and potentially OWSLib. It allows attackers to read arbitrary files on the application server filesystem by manipulating XML entities. Systems running PyWPS before version 4.4.5 or OWSLib 0.24.1 are affected.

💻 Affected Systems

Products:

PyWPS
OWSLib

Versions: PyWPS < 4.4.5, OWSLib 0.24.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: OWSLib 0.24.1 may be affected but requires specific XML parsing configurations to be vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server filesystem disclosure including sensitive configuration files, credentials, and system files leading to full system compromise.

🟠

Likely Case

Unauthorized reading of application files, configuration files, and potentially sensitive data stored on the server.

🟢

If Mitigated

Limited or no impact if XML external entity processing is disabled or proper input validation is implemented.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

XXE vulnerabilities are well-understood with readily available exploitation techniques. The vulnerability requires XML input processing.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: PyWPS 4.4.5

Vendor Advisory: https://github.com/geopython/pywps/pull/616

Restart Required: Yes

Instructions:

1. Update PyWPS to version 4.4.5 or later using pip: pip install --upgrade pywps>=4.4.5
2. Restart the PyWPS service
3. For OWSLib, ensure proper XML parser configuration or update if newer versions address the issue

🔧 Temporary Workarounds

Disable XML External Entity Processing

all

Configure XML parser to disable external entity resolution

Configure XML parser with: xmlparser.setFeature('http://xml.org/sax/features/external-general-entities', false)
xmlparser.setFeature('http://xml.org/sax/features/external-parameter-entities', false)

Input Validation and Sanitization

all

Implement strict input validation for XML content

Implement XML schema validation
Use allowlists for acceptable XML elements and attributes

🧯 If You Can't Patch

Implement network segmentation to restrict access to vulnerable systems
Deploy web application firewall (WAF) with XXE protection rules

🔍 How to Verify

Check if Vulnerable:

Check PyWPS version: python -c "import pywps; print(pywps.__version__)" and verify if < 4.4.5

Check Version:

python -c "import pywps; print(pywps.__version__)"

Verify Fix Applied:

Confirm PyWPS version is >= 4.4.5 and test XML processing with malicious XXE payloads

📡 Detection & Monitoring

Log Indicators:

Unusual file access patterns in application logs
XML parsing errors with external entity references
Large XML payloads with file:// or other URI schemes

Network Indicators:

XML requests containing external entity declarations
Requests with file://, http://, or ftp:// in XML content

SIEM Query:

source="application_logs" AND ("XXE" OR "external entity" OR "file://" OR "ENTITY")

📊 Metadata

CVE ID: CVE-2021-39371

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-611

Published: August 23, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/geopython/OWSLib/issues/790 Issue Tracking,Patch,Third Party Advisory
https://github.com/geopython/pywps/pull/616 Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/09/msg00001.html Mailing List,Third Party Advisory
https://github.com/geopython/OWSLib/issues/790 Issue Tracking,Patch,Third Party Advisory
https://github.com/geopython/pywps/pull/616 Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/09/msg00001.html Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-39371, you might also want to check these: