Vulnerability Description
Openpyxl 2.4.1 resolves external entities by default, which allows remote attackers to conduct XXE attacks via a crafted .xlsx document.
CVSS Score
8.2
HIGH
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Python | Openpyxl | 2.4.1 |
Related Weaknesses (CWE)
References
- http://www.openwall.com/lists/oss-security/2017/02/07/5Mailing ListThird Party Advisory
- https://bitbucket.org/openpyxl/openpyxl/commits/3b4905f428e1Issue TrackingThird Party Advisory
- https://bitbucket.org/openpyxl/openpyxl/issues/749Issue TrackingThird Party Advisory
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854442Issue TrackingThird Party Advisory
- http://www.openwall.com/lists/oss-security/2017/02/07/5Mailing ListThird Party Advisory
- https://bitbucket.org/openpyxl/openpyxl/commits/3b4905f428e1Issue TrackingThird Party Advisory
- https://bitbucket.org/openpyxl/openpyxl/issues/749Issue TrackingThird Party Advisory
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854442Issue TrackingThird Party Advisory
FAQ
What is CVE-2017-5992?
CVE-2017-5992 is a vulnerability with a CVSS score of 8.2 (HIGH). Openpyxl 2.4.1 resolves external entities by default, which allows remote attackers to conduct XXE attacks via a crafted .xlsx document.
How severe is CVE-2017-5992?
CVE-2017-5992 has been rated HIGH with a CVSS base score of 8.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-5992?
Check the references section above for vendor advisories and patch information. Affected products include: Python Openpyxl.