CVE-2023-45139: 
Python vulnerability analysis and mitigation

FontTools, a Python library for manipulating fonts, contains an XML External Entity Injection (XXE) vulnerability (CVE-2023-45139) in its subsetting module. The vulnerability affects versions from 4.28.2 to versions prior to 4.43.0, and was patched in version 4.43.0. The issue occurs when parsing SVG tables in OpenType fonts (OT-SVG fonts), where the library failed to disable external entity expansion by default (GitHub Advisory, NVD).

The vulnerability is classified as a CWE-611 (Improper Restriction of XML External Entity Reference) issue. It has a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The issue stems from the library's use of lxml for processing SVG tables in OpenType fonts without disabling external entity expansion, which was enabled by default in lxml versions prior to 5.0.0 (OSS Security).

The vulnerability allows attackers to include arbitrary files from the filesystem where FontTools is running or make web requests from the host system. The impact is most significant for consumers of FontTools who leverage the subsetting utility to subset untrusted OT-SVG fonts, where the vulnerability can be exploited to read arbitrary files from the host filesystem (GitHub Advisory).

The vulnerability has been patched in FontTools version 4.43.0 by setting resolve_entities=False when parsing OT-SVG documents. Users are advised to upgrade to version 4.43.0 or later. Alternative mitigations include setting the resolve_entities=False flag on parsing methods, considering methods to disallow doctype declarations, and implementing recursive regex matching (GitHub Advisory).