GHSA-4cc2-g9w2-fhf6: Zeep: Server-Side Request Forgery (SSRF)

When parsing a WSDL or XSD document, python-zeep follows transitive references — xsd:import, xsd:include, wsdl:import, and lxml entity/DTD resolution — and will fetch http/https URLs found in those references. The Settings.forbid_external option, intended to disable this transitive remote fetching, was defined but not wired to any logic from version 4.0.0 through 4.3.2 (a regression introduced when zeep moved off defusedxml in 4.0). As a result, setting forbid_external=True had no effect, and applications that processed untrusted or attacker-influenced WSDL/XSD documents could be coerced into making server-side requests to arbitrary URLs (SSRF).