<?xml version='1.0' encoding='UTF-8'?>
<?xml-stylesheet href="/static/style.xsl" type="text/xsl"?>
<rss xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/" version="2.0">
  <channel>
    <title>Most recent sightings.</title>
    <link>https://vulnerability.circl.lu</link>
    <description>Contains only the most 10 recent sightings.</description>
    <docs>http://www.rssboard.org/rss-specification</docs>
    <generator>python-feedgen</generator>
    <language>en</language>
    <lastBuildDate>Tue, 14 Jul 2026 14:07:34 +0000</lastBuildDate>
    <item>
      <title>e3a1a376-bfd2-4efb-b8e2-89a0cbb13739</title>
      <link>https://vulnerability.circl.lu/sighting/e3a1a376-bfd2-4efb-b8e2-89a0cbb13739/export</link>
      <description>{"uuid": "e3a1a376-bfd2-4efb-b8e2-89a0cbb13739", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-4CC2-G9W2-FHF6", "type": "seen", "source": "https://gist.github.com/alon710/d42b4dbefc93b27ac577422cb0d5bd9b", "content": "# GHSA-4CC2-G9W2-FHF6: GHSA-4cc2-g9w2-fhf6: Server-Side Request Forgery in python-zeep via Transitive Schema Resolution\n\n&amp;gt; **CVSS Score:** 5.9\n&amp;gt; **Published:** 2026-06-19\n&amp;gt; **Full Report:** https://cvereports.com/reports/GHSA-4CC2-G9W2-FHF6\n\n## Summary\nA regression in python-zeep (versions 4.0.0 through 4.3.2) silently ignores the security configuration designed to block transitive external resource fetches during WSDL and XSD parsing. This defect exposes applications to Server-Side Request Forgery (SSRF) when loading untrusted schemas.\n\n## TL;DR\nA silent regression in python-zeep versions 4.0.0 to 4.3.2 ignores the forbid_external security setting, allowing remote attackers to trigger unauthenticated SSRF against internal endpoints.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-918\n- **Attack Vector**: Network\n- **CVSS v3.1**: 5.9 (Medium)\n- **Impact**: Confidentiality High\n- **Exploit Status**: Proof of Concept available\n- **KEV Status**: Not listed\n\n## Affected Systems\n\n- Applications implementing python-zeep (zeep) version 4.0.0 through 4.3.2\n- **zeep**: &amp;gt;= 4.0.0, &amp;lt;= 4.3.2 (Fixed in: `4.3.3`)\n\n## Mitigation\n\n- Upgrade python-zeep to version 4.3.3 or higher.\n- Explicitly enable the forbid_external=True configuration parameter in python-zeep Settings.\n- Enforce network egress filtering to block requests to RFC 1918 addresses and link-local cloud metadata endpoints.\n\n**Remediation Steps:**\n1. Run your package manager update command: pip install --upgrade zeep&amp;gt;=4.3.3\n2. Locate client instantiation files in the codebase.\n3. Import the Settings class from zeep.\n4. Define settings = Settings(forbid_external=True) and pass this object to the Client initializer.\n\n## References\n\n- [GHSA-4cc2-g9w2-fhf6 Security Advisory](https://github.com/mvantellingen/python-zeep/security/advisories/GHSA-4cc2-g9w2-fhf6)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-4CC2-G9W2-FHF6) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-21T21:42:12.000000Z"}</description>
      <content:encoded>{"uuid": "e3a1a376-bfd2-4efb-b8e2-89a0cbb13739", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-4CC2-G9W2-FHF6", "type": "seen", "source": "https://gist.github.com/alon710/d42b4dbefc93b27ac577422cb0d5bd9b", "content": "# GHSA-4CC2-G9W2-FHF6: GHSA-4cc2-g9w2-fhf6: Server-Side Request Forgery in python-zeep via Transitive Schema Resolution\n\n&amp;gt; **CVSS Score:** 5.9\n&amp;gt; **Published:** 2026-06-19\n&amp;gt; **Full Report:** https://cvereports.com/reports/GHSA-4CC2-G9W2-FHF6\n\n## Summary\nA regression in python-zeep (versions 4.0.0 through 4.3.2) silently ignores the security configuration designed to block transitive external resource fetches during WSDL and XSD parsing. This defect exposes applications to Server-Side Request Forgery (SSRF) when loading untrusted schemas.\n\n## TL;DR\nA silent regression in python-zeep versions 4.0.0 to 4.3.2 ignores the forbid_external security setting, allowing remote attackers to trigger unauthenticated SSRF against internal endpoints.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-918\n- **Attack Vector**: Network\n- **CVSS v3.1**: 5.9 (Medium)\n- **Impact**: Confidentiality High\n- **Exploit Status**: Proof of Concept available\n- **KEV Status**: Not listed\n\n## Affected Systems\n\n- Applications implementing python-zeep (zeep) version 4.0.0 through 4.3.2\n- **zeep**: &amp;gt;= 4.0.0, &amp;lt;= 4.3.2 (Fixed in: `4.3.3`)\n\n## Mitigation\n\n- Upgrade python-zeep to version 4.3.3 or higher.\n- Explicitly enable the forbid_external=True configuration parameter in python-zeep Settings.\n- Enforce network egress filtering to block requests to RFC 1918 addresses and link-local cloud metadata endpoints.\n\n**Remediation Steps:**\n1. Run your package manager update command: pip install --upgrade zeep&amp;gt;=4.3.3\n2. Locate client instantiation files in the codebase.\n3. Import the Settings class from zeep.\n4. Define settings = Settings(forbid_external=True) and pass this object to the Client initializer.\n\n## References\n\n- [GHSA-4cc2-g9w2-fhf6 Security Advisory](https://github.com/mvantellingen/python-zeep/security/advisories/GHSA-4cc2-g9w2-fhf6)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-4CC2-G9W2-FHF6) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-21T21:42:12.000000Z"}</content:encoded>
      <guid isPermaLink="false">https://vulnerability.circl.lu/sighting/e3a1a376-bfd2-4efb-b8e2-89a0cbb13739/export</guid>
      <pubDate>Sun, 21 Jun 2026 21:42:12 +0000</pubDate>
    </item>
  </channel>
</rss>
