The (1) backup (api/contrib/backups.py) and (2) volume transfer (contrib/volume_transfer.py) APIs in OpenStack Cinder Grizzly 2013.1.3 and previous versions allows remote malicious users to cause a denial of service (resource consumption and crash) via an XML Entity Expansion (XEE) attack. NOTE: this issue is due to an incomplete fix for CVE-2013-1664.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
openstack cinder |
||
canonical ubuntu linux 13.04 |