DEBIAN-CVE-2022-48565

DEBIAN-CVE-2022-48565 PUBLISHED CVSS 9.800000190734863 CRITICAL

An XML External Entity (XXE) issue was discovered in Python through 3.9.1. The plistlib module no longer accepts entity declarations in XML plist files to avoid XML vulnerabilities.

Risk Scores

CVSS 3.1

9.800000190734863

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products

Vendor	Product	Versions
Debian:11	pypy3	0, 0, 0
Debian:11	python2.7	2.7.18-8, 2.7.18-8, 2.7.18-8
Debian:14	pypy3	0, 0, 0
Debian:11	python3.9	0, 0, 0
Debian:13	pypy3	0, 0, 0
Debian:12	pypy3	0, 0, 0

Exploit Intelligence

A proof-of-concept for CVE-2022-48565 - python plistlib XML deserialisation attack (github-poc-repo)
A proof-of-concept for CVE-2022-48565 - python plistlib XML deserialisation attack (github-poc)
zephyr-crosstool-arm-grype.html (github-poc)

Timeline

Aug 22, 2023 CVE Published
Apr 28, 2026 CVE Updated

References

https://security-tracker.debian.org/tracker/CVE-2022-48565 advisory

Open in Interactive Console →