Published: 03/04/2013 Updated: 15/05/2013

CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10

VMScore: 446

Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex, Folsom, and Grizzly; Compute (Nova) Essex and Folsom; Cinder Folsom; Django; and possibly other products allow remote malicious users to cause a denial of service (resource consumption and crash) via an XML Entity Expansion (XEE) attack.

Vulnerable Product	Search on Vulmon	Subscribe to Product
openstack cinder folsom -
openstack keystone essex -
openstack folsom -
openstack grizzly -
openstack compute \\(nova\\) essex -
openstack compute \\(nova\\) folsom -

Debian Bug report logs - #700948 keystone: CVE-2013-1664 (DoS in xml entitiy parsing) and CVE-2013-1665 (nformation leak via xml entity parsing) Package: keystone; Maintainer for keystone is Debian OpenStack <team+openstack@trackerdebianorg>; Source for keystone is src:keystone (PTS, buildd, popcon) Reported by: Thomas Goi ...

Synopsis Moderate: openstack-cinder security and enhancement update Type/Severity Security Advisory: Moderate Topic Updated openstack-cinder packages that fix two security issues and add oneenhancement are now available for Red Hat OpenStack FolsomThe Red Hat Security Response Team has rated this update as ...

Synopsis Moderate: openstack-keystone security, bug fix, and enhancement update Type/Severity Security Advisory: Moderate Topic Updated openstack-keystone packages that fix multiple security issues,various bugs, and add enhancements are now available for Red Hat OpenStackFolsomThe Red Hat Security Response ...

Synopsis Moderate: openstack-nova security, bug fix, and enhancement update Type/Severity Security Advisory: Moderate Topic Updated openstack-nova packages that fix two security issues, several bugs,and add an enhancement are now available for Red Hat OpenStack FolsomThe Red Hat Security Response Team has ...

Synopsis Moderate: Django security update Type/Severity Security Advisory: Moderate Topic Updated Django packages that fix multiple security issues are now availablefor Red Hat OpenStack FolsomThe Red Hat Security Response Team has rated this update as having moderatesecurity impact Common Vulnerability S ...

Several security issues were fixed in Django ...

Cinder could be made to crash if it received specially crafted input ...

Nova could be made to crash if it received specially crafted input ...

Keystone could be made to crash or expose sensitive information over the network ...

CWE-119 http://lists.openstack.org/pipermail/openstack-announce/2013-February/000078.html http://www.openwall.com/lists/oss-security/2013/02/19/4 https://bugs.launchpad.net/nova/+bug/1100282 http://www.openwall.com/lists/oss-security/2013/02/19/2 http://rhn.redhat.com/errata/RHSA-2013-0658.html http://rhn.redhat.com/errata/RHSA-2013-0657.html http://blog.python.org/2013/02/announcing-defusedxml-fixes-for-xml.html http://bugs.python.org/issue17239 http://ubuntu.com/usn/usn-1757-1 http://rhn.redhat.com/errata/RHSA-2013-0670.html https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700948 https://nvd.nist.gov https://usn.ubuntu.com/1757-1/

CVE-2013-1664

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect