During a security audit of pan-os-python, two findings were identified.
Finding 1: Unsafe XML parser (High)
xml.etree.ElementTree is used across 10 core modules with no defusedxml
replacement or defuse_stdlib() call anywhere in the codebase.
Affected modules:
base.py, firewall.py, network.py, panorama.py, policies.py,
objects.py, ha.py, plugins.py, userid.py, __init__.py
The library's purpose is parsing XML responses from live network devices.
Any attacker-influenced response (MitM, compromised appliance, rogue endpoint)
is processed without XXE or Billion Laughs protection.
Fix: replace import xml.etree.ElementTree as ET with
import defusedxml.ElementTree as ET in each affected module.
Drop-in compatible, no API changes required.
Finding 2: SHA-1 used for value hashing (Medium)
panos/base.py:3172 uses hashlib.sha1() with an inline comment
explicitly documenting the usage. SHA-1 has been cryptographically
broken since 2017.
During a security audit of pan-os-python, two findings were identified.
Finding 1: Unsafe XML parser (High)
xml.etree.ElementTreeis used across 10 core modules with nodefusedxmlreplacement or
defuse_stdlib()call anywhere in the codebase.Affected modules:
base.py,firewall.py,network.py,panorama.py,policies.py,objects.py,ha.py,plugins.py,userid.py,__init__.pyThe library's purpose is parsing XML responses from live network devices.
Any attacker-influenced response (MitM, compromised appliance, rogue endpoint)
is processed without XXE or Billion Laughs protection.
Fix: replace
import xml.etree.ElementTree as ETwithimport defusedxml.ElementTree as ETin each affected module.Drop-in compatible, no API changes required.
Finding 2: SHA-1 used for value hashing (Medium)
panos/base.py:3172useshashlib.sha1()with an inline commentexplicitly documenting the usage. SHA-1 has been cryptographically
broken since 2017.