lxml is a library for processing XML and HTML in the Python language. Prior to 6.1.0, using either of the two parsers in the default configuration (with resolve_entities=True) allows untrusted XML input to read local files. Setting the resolve_entities option explicitly to resolve_entities=internal or resolve_entities=False disables the local file access. This vulnerability is fixed in 6.1.0.
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Lxml | Lxml | * | 6.1.0 (excluding) |
| Lxml | Ubuntu | esm-infra/xenial | * |
| Lxml | Ubuntu | questing | * |
| Lxml | Ubuntu | resolute | * |
| Lxml | Ubuntu | upstream | * |