GitHub Advisory DatabaseGHSA-X64M-686F-FMM3XML External Entity (XXE) in Django
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
7 High
AI Score
Confidence
Low
0.003 Low
EPSS
Percentile
69.1%
The XML libraries for Python as used in OpenStack Keystone Essex and Folsom, Django, and possibly other products allow remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity (XXE) attack.
Affected configurations
References
blog.python.org/2013/02/announcing-defusedxml-fixes-for-xml.html
bugs.python.org/issue17239
lists.openstack.org/pipermail/openstack-announce/2013-February/000078.html
rhn.redhat.com/errata/RHSA-2013-0657.html
rhn.redhat.com/errata/RHSA-2013-0658.html
rhn.redhat.com/errata/RHSA-2013-0670.html
ubuntu.com/usn/usn-1757-1
www.debian.org/security/2013/dsa-2634
www.openwall.com/lists/oss-security/2013/02/19/2
www.openwall.com/lists/oss-security/2013/02/19/4
bugs.launchpad.net/keystone/+bug/1100279
github.com/advisories/GHSA-x64m-686f-fmm3
github.com/django/django/commit/1c60d07ba23e0350351c278ad28d0bd5aa410b40
github.com/django/django/commit/d19a27066b2247102e65412aa66917aff0091112
nvd.nist.gov/vuln/detail/CVE-2013-1665
Related
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
7 High
AI Score
Confidence
Low
0.003 Low
EPSS
Percentile
69.1%