CVE-2021-39371

An XML external entity (XXE) injection in PyWPS before 4.4.5 allows an attacker to view files on the application server filesystem by assigning a path to the entity. OWSLib 0.24.1 may also be affected.

Summary:

Reference Links(if available):

https://github.com/geopython/pywps/pull/616

https://github.com/geopython/OWSLib/issues/790

https://lists.debian.org/debian-lts-announce/2021/09/msg00001.html

CVSS Score (if available)

v2: / MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N

v3: / HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVE-2021-39371

Summary:

Reference Links(if available):

CVSS Score (if available)

Links to Exploits(if available)

CISA: JCDC’s Industry-Government Collaboration Speeds Mitigation of CrowdStrike IT Outage

CISA: CISA Releases Three Industrial Control Systems Advisories

CISA: Fortinet Updates Guidance and Indicators of Compromise following FortiManager Vulnerability Exploitation

CISA: Foreign Threat Actor Conducting Large-Scale Spearphishing Campaign with RDP Attachments

CISA: CISA Releases Four Industrial Control Systems Advisories

Summary:

Reference Links(if available):

CVSS Score (if available)

Links to Exploits(if available)

You may have missed

CISA: JCDC’s Industry-Government Collaboration Speeds Mitigation of CrowdStrike IT Outage

CISA: CISA Releases Three Industrial Control Systems Advisories

CISA: Fortinet Updates Guidance and Indicators of Compromise following FortiManager Vulnerability Exploitation

CISA: Foreign Threat Actor Conducting Large-Scale Spearphishing Campaign with RDP Attachments

CISA: CISA Releases Four Industrial Control Systems Advisories