CVE-2022-48565
📋 TL;DR
This CVE describes an XML External Entity (XXE) vulnerability in Python's plistlib module through version 3.9.1. Attackers can exploit this by crafting malicious XML plist files to read arbitrary files from the server, potentially leading to sensitive data exposure or denial of service. Any Python application that processes untrusted XML plist files using the vulnerable plistlib module is affected.
💻 Affected Systems
- Python
📦 What is this software?
Python by Python
Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.
Learn more about Python →Python by Python
Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.
Learn more about Python →Python by Python
Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.
Learn more about Python →Python by Python
Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.
Learn more about Python →⚠️ Risk & Real-World Impact
Worst Case
Remote code execution, complete system compromise, or exfiltration of sensitive files like /etc/passwd, SSH keys, or configuration files containing credentials.
Likely Case
Arbitrary file read from the server, potentially exposing sensitive configuration files, source code, or user data.
If Mitigated
Limited impact if proper input validation and XML parsing restrictions are in place, or if plist files are from trusted sources only.
🎯 Exploit Status
XXE vulnerabilities are well-understood with many public exploit examples. The specific plistlib implementation details make exploitation straightforward.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Python 3.9.2 and later
Vendor Advisory: https://bugs.python.org/issue42051
Restart Required: No
Instructions:
1. Upgrade Python to version 3.9.2 or later. 2. For systems that cannot upgrade immediately, apply backported patches from your distribution vendor. 3. Test applications after upgrade to ensure plist parsing still works correctly.
🔧 Temporary Workarounds
Disable external entity processing
allConfigure XML parser to reject external entity declarations before passing to plistlib
import xml.etree.ElementTree as ET
parser = ET.XMLParser()
parser.entity = lambda x, y, z, w: None
Use binary plist format
allConvert XML plist files to binary plist format which is not vulnerable to XXE
import plistlib
# Use plistlib.dumps(data, fmt=plistlib.FMT_BINARY) for binary format
🧯 If You Can't Patch
- Implement strict input validation to reject XML plist files from untrusted sources
- Use a web application firewall (WAF) with XXE protection rules to block malicious payloads
🔍 How to Verify
Check if Vulnerable:
Check Python version with 'python --version' or 'python3 --version'. If version is 3.9.1 or earlier, check if application uses plistlib to parse XML plist files.Check Version:
python --versionVerify Fix Applied:
After patching, test with a safe XXE payload to confirm it's rejected. Verify Python version is 3.9.2 or later.📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns from Python processes
- Large XML plist files being processed
- Error logs showing XML parsing failures with entity references
Network Indicators:
- Incoming requests with XML plist files containing DOCTYPE declarations or entity references
SIEM Query:
source="application.log" AND "plistlib" AND ("DOCTYPE" OR "ENTITY" OR "SYSTEM")🔗 References
- https://bugs.python.org/issue42051
- https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html
- https://lists.debian.org/debian-lts-announce/2023/10/msg00017.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AFHYAGWBFBNUGWU6XWKBHTCV5NH77MB7/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BAYWJD576JUKLHCWKDLMJSUGTRDKPF3M/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KZRZRJHWLZ7MOJNPQBWGJVXMVYDC5BRA/
- https://security.netapp.com/advisory/ntap-20231006-0007/
- https://bugs.python.org/issue42051
- https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html
- https://lists.debian.org/debian-lts-announce/2023/10/msg00017.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AFHYAGWBFBNUGWU6XWKBHTCV5NH77MB7/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BAYWJD576JUKLHCWKDLMJSUGTRDKPF3M/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KZRZRJHWLZ7MOJNPQBWGJVXMVYDC5BRA/
- https://security.netapp.com/advisory/ntap-20231006-0007/
