CVE-2013-1664 - OpenCVE

The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex, Folsom, and Grizzly; Compute (Nova) Essex and Folsom; Cinder Folsom; Django; and possibly other products allow remote attackers to cause a denial of service (resource consumption and crash) via an XML Entity Expansion (XEE) attack.

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:L/Au:N/C:N/I:N/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Openstack	Compute \(nova\) Essex Compute \(nova\) Folsom Keystone Essex Cinder Folsom Grizzly Folsom

Configuration 1 [-]

OR	cpe:2.3:a:openstack:cinder_folsom:-:::::::*
	cpe:2.3:a:openstack:compute_\(nova\)_essex:-:::::::*
	cpe:2.3:a:openstack:compute_\(nova\)_folsom:-:::::::*
	cpe:2.3:a:openstack:folsom:-:::::::*
	cpe:2.3:a:openstack:grizzly:-:::::::*
	cpe:2.3:a:openstack:keystone_essex:-:::::::*

References

Link	Resource
http://blog.python.org/2013/02/announcing-defusedxml-fixes-for-xml.html
http://bugs.python.org/issue17239
http://lists.openstack.org/pipermail/openstack-announce/2013-February/000078.html	Vendor Advisory
http://rhn.redhat.com/errata/RHSA-2013-0657.html
http://rhn.redhat.com/errata/RHSA-2013-0658.html
http://rhn.redhat.com/errata/RHSA-2013-0670.html
http://ubuntu.com/usn/usn-1757-1
http://www.openwall.com/lists/oss-security/2013/02/19/2
http://www.openwall.com/lists/oss-security/2013/02/19/4
https://bugs.launchpad.net/nova/+bug/1100282	Exploit

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2013-04-03T00:00:00

Updated: 2013-04-11T09:00:00

Reserved: 2013-02-13T00:00:00

Link: CVE-2013-1664

JSON object: View

NVD Information

Status : Modified

Published: 2013-04-03T00:55:02.177

Modified: 2013-05-15T03:35:50.693

Link: CVE-2013-1664

JSON object: View

Redhat Information

No data.

CWE

CWE-119

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2013-02-19T00:00:00", "descriptions": [{"lang": "en", "value": "The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex, Folsom, and Grizzly; Compute (Nova) Essex and Folsom; Cinder Folsom; Django; and possibly other products allow remote attackers to cause a denial of service (resource consumption and crash) via an XML Entity Expansion (XEE) attack."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2013-04-11T09:00:00", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "[oss-security] 20130219 REJECT CVE-2013-0278, CVE-2013-0279 and CVE-2013-0280", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2013/02/19/4"}, {"name": "[openstack-announce] 20130219 [OSSA 2013-004] Information leak and Denial of Service using XML entities (CVE-2013-1664, CVE-2013-1665)", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://lists.openstack.org/pipermail/openstack-announce/2013-February/000078.html"}, {"name": "RHSA-2013:0658", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0658.html"}, {"name": "[oss-security] 20130219 [OSSA 2013-004] Information leak and Denial of Service using XML entities (CVE-2013-1664, CVE-2013-1665)", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2013/02/19/2"}, {"name": "USN-1757-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://ubuntu.com/usn/usn-1757-1"}, {"name": "RHSA-2013:0657", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0657.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugs.launchpad.net/nova/+bug/1100282"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://blog.python.org/2013/02/announcing-defusedxml-fixes-for-xml.html"}, {"name": "RHSA-2013:0670", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0670.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://bugs.python.org/issue17239"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2013-1664", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex, Folsom, and Grizzly; Compute (Nova) Essex and Folsom; Cinder Folsom; Django; and possibly other products allow remote attackers to cause a denial of service (resource consumption and crash) via an XML Entity Expansion (XEE) attack."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "[oss-security] 20130219 REJECT CVE-2013-0278, CVE-2013-0279 and CVE-2013-0280", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2013/02/19/4"}, {"name": "[openstack-announce] 20130219 [OSSA 2013-004] Information leak and Denial of Service using XML entities (CVE-2013-1664, CVE-2013-1665)", "refsource": "MLIST", "url": "http://lists.openstack.org/pipermail/openstack-announce/2013-February/000078.html"}, {"name": "RHSA-2013:0658", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2013-0658.html"}, {"name": "[oss-security] 20130219 [OSSA 2013-004] Information leak and Denial of Service using XML entities (CVE-2013-1664, CVE-2013-1665)", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2013/02/19/2"}, {"name": "USN-1757-1", "refsource": "UBUNTU", "url": "http://ubuntu.com/usn/usn-1757-1"}, {"name": "RHSA-2013:0657", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2013-0657.html"}, {"name": "https://bugs.launchpad.net/nova/+bug/1100282", "refsource": "CONFIRM", "url": "https://bugs.launchpad.net/nova/+bug/1100282"}, {"name": "http://blog.python.org/2013/02/announcing-defusedxml-fixes-for-xml.html", "refsource": "CONFIRM", "url": "http://blog.python.org/2013/02/announcing-defusedxml-fixes-for-xml.html"}, {"name": "RHSA-2013:0670", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2013-0670.html"}, {"name": "http://bugs.python.org/issue17239", "refsource": "CONFIRM", "url": "http://bugs.python.org/issue17239"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2013-1664", "datePublished": "2013-04-03T00:00:00", "dateReserved": "2013-02-13T00:00:00", "dateUpdated": "2013-04-11T09:00:00", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openstack:cinder_folsom:-:*:*:*:*:*:*:*", "matchCriteriaId": "D610C26F-010E-456B-8B55-0A0B7F0DD82D", "vulnerable": true}, {"criteria": "cpe:2.3:a:openstack:compute_\\(nova\\)_essex:-:*:*:*:*:*:*:*", "matchCriteriaId": "1AAA04C7-D6A9-4ED1-A179-CA58A5A9C0A2", "vulnerable": true}, {"criteria": "cpe:2.3:a:openstack:compute_\\(nova\\)_folsom:-:*:*:*:*:*:*:*", "matchCriteriaId": "47CA869C-0CD8-42A7-8F1B-1CDA8B9DB218", "vulnerable": true}, {"criteria": "cpe:2.3:a:openstack:folsom:-:*:*:*:*:*:*:*", "matchCriteriaId": "F5BA13BC-F088-45AA-AD10-B74F89CE5375", "vulnerable": true}, {"criteria": "cpe:2.3:a:openstack:grizzly:-:*:*:*:*:*:*:*", "matchCriteriaId": "A83ED744-9E3D-4510-B3E6-6DDE1090F0B7", "vulnerable": true}, {"criteria": "cpe:2.3:a:openstack:keystone_essex:-:*:*:*:*:*:*:*", "matchCriteriaId": "FD5F4534-9D98-4F86-898C-EAFB0C4CEDAC", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex, Folsom, and Grizzly; Compute (Nova) Essex and Folsom; Cinder Folsom; Django; and possibly other products allow remote attackers to cause a denial of service (resource consumption and crash) via an XML Entity Expansion (XEE) attack."}, {"lang": "es", "value": "OpenStack Keystone Essex, Folsom, y Grizzly; Compute (Nova) Essex y Folsom, Folsom y Cinder permite a atacantes remotos provocar una denegaci\u00f3n de servicio (consumo de recursos y ca\u00edda) mediante un ataque de Entidad de expansi\u00f3n XML(XEE)."}], "id": "CVE-2013-1664", "lastModified": "2013-05-15T03:35:50.693", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2013-04-03T00:55:02.177", "references": [{"source": "cve@mitre.org", "url": "http://blog.python.org/2013/02/announcing-defusedxml-fixes-for-xml.html"}, {"source": "cve@mitre.org", "url": "http://bugs.python.org/issue17239"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://lists.openstack.org/pipermail/openstack-announce/2013-February/000078.html"}, {"source": "cve@mitre.org", "url": "http://rhn.redhat.com/errata/RHSA-2013-0657.html"}, {"source": "cve@mitre.org", "url": "http://rhn.redhat.com/errata/RHSA-2013-0658.html"}, {"source": "cve@mitre.org", "url": "http://rhn.redhat.com/errata/RHSA-2013-0670.html"}, {"source": "cve@mitre.org", "url": "http://ubuntu.com/usn/usn-1757-1"}, {"source": "cve@mitre.org", "url": "http://www.openwall.com/lists/oss-security/2013/02/19/2"}, {"source": "cve@mitre.org", "url": "http://www.openwall.com/lists/oss-security/2013/02/19/4"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "https://bugs.launchpad.net/nova/+bug/1100282"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-119"}], "source": "nvd@nist.gov", "type": "Primary"}]}