BIT-python-2022-48565

BIT-python-2022-48565 PUBLISHED CVSS 9.800000190734863 CRITICAL

An XML External Entity (XXE) issue was discovered in Python through 3.9.1. The plistlib module no longer accepts entity declarations in XML plist files to avoid XML vulnerabilities.

Risk Scores

CVSS 3.1

9.800000190734863

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products

Vendor	Product	Versions
Bitnami	python	0, 3.7.0, 3.8.0

Exploit Intelligence

A proof-of-concept for CVE-2022-48565 - python plistlib XML deserialisation attack (github-poc-repo)
A proof-of-concept for CVE-2022-48565 - python plistlib XML deserialisation attack (github-poc)
zephyr-crosstool-arm-grype.html (github-poc)

Timeline

Mar 6, 2024 CVE Published
Sep 5, 2025 CVE Updated

References

https://bugs.python.org/issue42051 url
https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html url
https://lists.debian.org/debian-lts-announce/2023/10/msg00017.html url
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AFHYAGWBFBNUGWU6XWKBHTCV5NH77MB7/ url
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BAYWJD576JUKLHCWKDLMJSUGTRDKPF3M/ url
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KZRZRJHWLZ7MOJNPQBWGJVXMVYDC5BRA/ url
https://security.netapp.com/advisory/ntap-20231006-0007/ url
https://nvd.nist.gov/vuln/detail/CVE-2022-48565 url

Open in Interactive Console →