5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.09 Low
EPSS
Percentile
94.6%
The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in
OpenStack Keystone Essex, Folsom, and Grizzly; Compute (Nova) Essex and
Folsom; Cinder Folsom; Django; and possibly other products allow remote
attackers to cause a denial of service (resource consumption and crash) via
an XML Entity Expansion (XEE) attack.
Author | Note |
---|---|
jdstrand | Keystone on 11.10 is a pre-release version and unusable with other components such as nova and horizon quantum will be fixed in grizzly rc1, due out the 2nd week of March |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 12.10 | noarch | cinder | < 2012.2.1-0ubuntu1.1 | UNKNOWN |
ubuntu | 12.04 | noarch | keystone | < 2012.1+stable~20120824-a16a0ab9-0ubuntu2.5 | UNKNOWN |
ubuntu | 12.10 | noarch | keystone | < 2012.2.1-0ubuntu1.2 | UNKNOWN |
ubuntu | 11.10 | noarch | nova | < 2011.3-0ubuntu6.12 | UNKNOWN |
ubuntu | 12.04 | noarch | nova | < 2012.1.3+stable-20120827-4d2a4afe-0ubuntu1.2 | UNKNOWN |
ubuntu | 12.10 | noarch | nova | < 2012.2.1+stable-20121212-a99a802e-0ubuntu1.2 | UNKNOWN |
ubuntu | 10.04 | noarch | python-django | < 1.1.1-2ubuntu1.8 | UNKNOWN |
ubuntu | 11.10 | noarch | python-django | < 1.3-2ubuntu1.6 | UNKNOWN |
ubuntu | 12.04 | noarch | python-django | < 1.3.1-4ubuntu1.6 | UNKNOWN |
ubuntu | 12.10 | noarch | python-django | < 1.4.1-2ubuntu0.3 | UNKNOWN |
launchpad.net/bugs/cve/CVE-2013-1664
nvd.nist.gov/vuln/detail/CVE-2013-1664
security-tracker.debian.org/tracker/CVE-2013-1664
ubuntu.com/security/notices/USN-1730-1
ubuntu.com/security/notices/USN-1731-1
ubuntu.com/security/notices/USN-1734-1
ubuntu.com/security/notices/USN-1757-1
www.cve.org/CVERecord?id=CVE-2013-1664
www.djangoproject.com/weblog/2013/feb/19/security/