CVE-2022-48565

Description

An XML External Entity (XXE) issue was discovered in Python through 3.9.1. The plistlib module no longer accepts entity declarations in XML plist files to avoid XML vulnerabilities.

How to fix CVE-2022-48565

To remediate CVE-2022-48565, upgrade the affected package to a fixed version below.

• Bitnami/libpython—upgrade to 3.6.13 or later
• Bitnami/python—upgrade to 3.6.13 or later
• —upgrade to 3.6.13 or later
• —upgrade to 7.3.5+dfsg-2 or later
• —upgrade to 2.7.18-8+deb11u1 or later
• —upgrade to 3.9.1~rc1-1 or later

Is CVE-2022-48565 being exploited?

Moderate — EPSS is 7.3%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (6)

• from 0, < 3.6.13, >= 3.7.0, < 3.7.10, >= 3.8.0, < 3.8.7, >= 3.9.0, < 3.9.1
• from 0, < 3.6.13, >= 3.7.0, < 3.7.10, >= 3.8.0, < 3.8.7, >= 3.9.0, < 3.9.1
• from 0, < 3.6.13, >= 3.7.0, < 3.7.10, >= 3.8.0, < 3.8.7, >= 3.9.0, < 3.9.1
• from 0, < 7.3.5+dfsg-2
• from 0, < 2.7.18-8+deb11u1
• from 0, < 3.9.1~rc1-1

CVSS scores

References (9)

• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2022-48565
• WEBbugs.python.org/issue42051
• WEBlists.debian.org/debian-lts-announce/2023/09/msg00022.html
• WEBlists.debian.org/debian-lts-announce/2023/10/msg00017.html