{"id":"PYSEC-2017-48","details":"Openpyxl 2.4.1 resolves external entities by default, which allows remote attackers to conduct XXE attacks via a crafted .xlsx document.","aliases":["CVE-2017-5992","GHSA-chqf-hx79-gxc6"],"modified":"2023-11-08T03:59:23.709780Z","published":"2017-02-15T19:59:00Z","references":[{"type":"WEB","url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854442"},{"type":"WEB","url":"https://bitbucket.org/openpyxl/openpyxl/issues/749"},{"type":"WEB","url":"https://bitbucket.org/openpyxl/openpyxl/commits/3b4905f428e1"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2017/02/07/5"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-chqf-hx79-gxc6"}],"affected":[{"package":{"name":"openpyxl","ecosystem":"PyPI","purl":"pkg:pypi/openpyxl"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.4.1"}]}],"versions":["1.1.0","1.1.5","1.1.6","1.1.7","1.2.3","1.5.0","1.5.1","1.5.2","1.5.3","1.5.4","1.5.5","1.5.6","1.5.7","1.5.8","1.6.1","1.6.2","1.7.0","1.8.0","1.8.1","1.8.2","1.8.3","1.8.4","1.8.5","1.8.6","2.0.2","2.0.3","2.0.4","2.0.5","2.1.0","2.1.1","2.1.2","2.1.3","2.1.4","2.1.5","2.2.0","2.2.1","2.2.2","2.2.3","2.2.4","2.2.5","2.2.6","2.3.0","2.3.1","2.3.2","2.3.3","2.3.4","2.3.5","2.4.0"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/openpyxl/PYSEC-2017-48.yaml"}}],"schema_version":"1.7.3"}