{"id":"CVE-2021-39371","details":"An XML external entity (XXE) injection in PyWPS before 4.4.5 allows an attacker to view files on the application server filesystem by assigning a path to the entity. OWSLib 0.24.1 may also be affected.","aliases":["GHSA-p9wf-3xpg-c9g5","PYSEC-2021-121"],"modified":"2026-04-10T04:38:05.462741Z","published":"2021-08-23T01:15:06.373Z","references":[{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2021/09/msg00001.html"},{"type":"FIX","url":"https://github.com/geopython/OWSLib/issues/790"},{"type":"FIX","url":"https://github.com/geopython/pywps/pull/616"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/geopython/owslib","events":[{"introduced":"0"},{"last_affected":"c5e1125300471824bd88a48651fb85695617570f"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"0.24.1"}]}},{"type":"GIT","repo":"https://github.com/geopython/pywps","events":[{"introduced":"0"},{"fixed":"16355299bc3147dd8215d0d13b78c49b4380c50e"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"4.4.5"}]}}],"versions":["0.10.0","0.10.1","0.10.2","0.10.3","0.11.0","0.11.1","0.11.2","0.12.0","0.13.0","0.14.0","0.15.0","0.16.0","0.17.0","0.17.1","0.18.0","0.19.0","0.19.1","0.19.2","0.20.0","0.21.0","0.22.0","0.23.0","0.24.0","0.24.1","0.5.1","0.6.0","0.6.1","0.7.0","0.7.1","0.7.2","0.8.0","0.8.1","0.8.10","0.8.11","0.8.12","0.8.13","0.8.2","0.8.3","0.8.4","0.8.5","0.8.6","0.8.7","0.8.8","0.8.9","0.9.0","0.9.1","0.9.2","4.0.0","4.0.0-rc3","4.2.0","4.2.1","4.2.10","4.2.11","4.2.2","4.2.3","4.2.4","4.2.5","4.2.6","4.2.7","4.2.8","4.2.9","4.4.0","4.4.1","4.4.2","4.4.3","4.4.4","PyWPS-4.0.0-alpha","pywps-4.0.0-beta1","pywps-4.0.0-rc1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-39371.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"9.0"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}