CVE-2022-31471
📋 TL;DR
CVE-2022-31471 is an XML External Entity (XXE) vulnerability in the untangle Python library that allows attackers to read local files on systems processing untrusted XML data. This affects any application using untangle versions 1.2.0 or earlier to parse XML from untrusted sources. Remote unauthenticated attackers can exploit this to access sensitive files on vulnerable systems.
💻 Affected Systems
- untangle Python library
📦 What is this software?
Untangle by Untangle Project
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through reading sensitive files like /etc/passwd, SSH keys, configuration files, or database credentials, potentially leading to further attacks.
Likely Case
Information disclosure of local files accessible to the application process, including configuration files, logs, or other sensitive data.
If Mitigated
No impact if XML parsing is restricted to trusted sources or proper input validation is implemented.
🎯 Exploit Status
XXE vulnerabilities are well-understood with many public exploit examples. The vulnerability requires the application to process attacker-controlled XML.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.2.1
Vendor Advisory: https://github.com/stchris/untangle/releases/tag/1.2.1
Restart Required: No
Instructions:
1. Update untangle to version 1.2.1 or later using pip: pip install --upgrade untangle>=1.2.1
2. Verify the update with: pip show untangle
3. No application restart required for library updates in Python.
🔧 Temporary Workarounds
Disable external entity processing
allConfigure XML parser to disable external entity resolution before passing to untangle
import untangle
import defusedxml.ElementTree as ET
# Parse XML with defusedxml first
safe_tree = ET.parse(xml_file)
# Then convert to untangle object
obj = untangle.parse(safe_tree)
Input validation and sanitization
allValidate and sanitize XML input before processing with untangle
# Implement XML schema validation or content filtering
# Remove DOCTYPE declarations and external entity references
import re
sanitized_xml = re.sub(r'<!DOCTYPE.*?>', '', xml_content, flags=re.DOTALL)
sanitized_xml = re.sub(r'<!ENTITY.*?>', '', sanitized_xml, flags=re.DOTALL)
🧯 If You Can't Patch
- Implement strict input validation to only accept XML from trusted sources
- Deploy network segmentation to isolate systems using vulnerable untangle versions
🔍 How to Verify
Check if Vulnerable:
Check untangle version with: python -c "import untangle; print(untangle.__version__)" or pip show untangleCheck Version:
pip show untangle | grep VersionVerify Fix Applied:
Verify version is 1.2.1 or higher: python -c "import untangle; print('VULNERABLE' if tuple(map(int, untangle.__version__.split('.'))) <= (1,2,0) else 'PATCHED')"📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns from XML parsing processes
- Errors related to XML parsing or file not found from untangle operations
Network Indicators:
- XML payloads containing DOCTYPE declarations or external entity references sent to applications
SIEM Query:
source="application_logs" AND ("untangle" OR "XML parse") AND ("DOCTYPE" OR "ENTITY" OR "SYSTEM")