CVE-2013-1665 - OpenCVE

The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex and Folsom, Django, and possibly other products allow remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity (XXE) attack.

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Openstack	Folsom Keystone Essex

Configuration 1 [-]

OR	cpe:2.3:a:openstack:folsom:-:::::::*
	cpe:2.3:a:openstack:keystone_essex:-:::::::*

References

Link	Resource
http://blog.python.org/2013/02/announcing-defusedxml-fixes-for-xml.html
http://bugs.python.org/issue17239
http://lists.openstack.org/pipermail/openstack-announce/2013-February/000078.html	Vendor Advisory
http://rhn.redhat.com/errata/RHSA-2013-0657.html
http://rhn.redhat.com/errata/RHSA-2013-0658.html
http://rhn.redhat.com/errata/RHSA-2013-0670.html
http://ubuntu.com/usn/usn-1757-1
http://www.debian.org/security/2013/dsa-2634
http://www.openwall.com/lists/oss-security/2013/02/19/2
http://www.openwall.com/lists/oss-security/2013/02/19/4
https://bugs.launchpad.net/keystone/+bug/1100279	Patch

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2013-04-03T00:00:00

Updated: 2013-04-11T09:00:00

Reserved: 2013-02-13T00:00:00

Link: CVE-2013-1665

JSON object: View

NVD Information

Status : Modified

Published: 2013-04-03T00:55:02.207

Modified: 2013-05-15T03:35:51.290

Link: CVE-2013-1665

JSON object: View

Redhat Information

No data.

CWE

CWE-200

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2013-02-19T00:00:00", "descriptions": [{"lang": "en", "value": "The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex and Folsom, Django, and possibly other products allow remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity (XXE) attack."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2013-04-11T09:00:00", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "[oss-security] 20130219 REJECT CVE-2013-0278, CVE-2013-0279 and CVE-2013-0280", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2013/02/19/4"}, {"name": "[openstack-announce] 20130219 [OSSA 2013-004] Information leak and Denial of Service using XML entities (CVE-2013-1664, CVE-2013-1665)", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://lists.openstack.org/pipermail/openstack-announce/2013-February/000078.html"}, {"name": "RHSA-2013:0658", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0658.html"}, {"name": "[oss-security] 20130219 [OSSA 2013-004] Information leak and Denial of Service using XML entities (CVE-2013-1664, CVE-2013-1665)", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2013/02/19/2"}, {"name": "USN-1757-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://ubuntu.com/usn/usn-1757-1"}, {"name": "RHSA-2013:0657", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0657.html"}, {"name": "DSA-2634", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2013/dsa-2634"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://blog.python.org/2013/02/announcing-defusedxml-fixes-for-xml.html"}, {"name": "RHSA-2013:0670", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0670.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://bugs.python.org/issue17239"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugs.launchpad.net/keystone/+bug/1100279"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2013-1665", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex and Folsom, Django, and possibly other products allow remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity (XXE) attack."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "[oss-security] 20130219 REJECT CVE-2013-0278, CVE-2013-0279 and CVE-2013-0280", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2013/02/19/4"}, {"name": "[openstack-announce] 20130219 [OSSA 2013-004] Information leak and Denial of Service using XML entities (CVE-2013-1664, CVE-2013-1665)", "refsource": "MLIST", "url": "http://lists.openstack.org/pipermail/openstack-announce/2013-February/000078.html"}, {"name": "RHSA-2013:0658", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2013-0658.html"}, {"name": "[oss-security] 20130219 [OSSA 2013-004] Information leak and Denial of Service using XML entities (CVE-2013-1664, CVE-2013-1665)", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2013/02/19/2"}, {"name": "USN-1757-1", "refsource": "UBUNTU", "url": "http://ubuntu.com/usn/usn-1757-1"}, {"name": "RHSA-2013:0657", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2013-0657.html"}, {"name": "DSA-2634", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2013/dsa-2634"}, {"name": "http://blog.python.org/2013/02/announcing-defusedxml-fixes-for-xml.html", "refsource": "CONFIRM", "url": "http://blog.python.org/2013/02/announcing-defusedxml-fixes-for-xml.html"}, {"name": "RHSA-2013:0670", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2013-0670.html"}, {"name": "http://bugs.python.org/issue17239", "refsource": "CONFIRM", "url": "http://bugs.python.org/issue17239"}, {"name": "https://bugs.launchpad.net/keystone/+bug/1100279", "refsource": "CONFIRM", "url": "https://bugs.launchpad.net/keystone/+bug/1100279"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2013-1665", "datePublished": "2013-04-03T00:00:00", "dateReserved": "2013-02-13T00:00:00", "dateUpdated": "2013-04-11T09:00:00", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openstack:folsom:-:*:*:*:*:*:*:*", "matchCriteriaId": "F5BA13BC-F088-45AA-AD10-B74F89CE5375", "vulnerable": true}, {"criteria": "cpe:2.3:a:openstack:keystone_essex:-:*:*:*:*:*:*:*", "matchCriteriaId": "FD5F4534-9D98-4F86-898C-EAFB0C4CEDAC", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex and Folsom, Django, and possibly other products allow remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity (XXE) attack."}, {"lang": "es", "value": "OpenStack Keystone Essex y Folsom permite a atacantes remotos leer ficheros arbitrarios a trav\u00e9s de la declaraci\u00f3n de una entidad externa XML junto con una referencia entidad, tambi\u00e9n conocido como un ataque XML External Entity (XXE)."}], "id": "CVE-2013-1665", "lastModified": "2013-05-15T03:35:51.290", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2013-04-03T00:55:02.207", "references": [{"source": "cve@mitre.org", "url": "http://blog.python.org/2013/02/announcing-defusedxml-fixes-for-xml.html"}, {"source": "cve@mitre.org", "url": "http://bugs.python.org/issue17239"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://lists.openstack.org/pipermail/openstack-announce/2013-February/000078.html"}, {"source": "cve@mitre.org", "url": "http://rhn.redhat.com/errata/RHSA-2013-0657.html"}, {"source": "cve@mitre.org", "url": "http://rhn.redhat.com/errata/RHSA-2013-0658.html"}, {"source": "cve@mitre.org", "url": "http://rhn.redhat.com/errata/RHSA-2013-0670.html"}, {"source": "cve@mitre.org", "url": "http://ubuntu.com/usn/usn-1757-1"}, {"source": "cve@mitre.org", "url": "http://www.debian.org/security/2013/dsa-2634"}, {"source": "cve@mitre.org", "url": "http://www.openwall.com/lists/oss-security/2013/02/19/2"}, {"source": "cve@mitre.org", "url": "http://www.openwall.com/lists/oss-security/2013/02/19/4"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://bugs.launchpad.net/keystone/+bug/1100279"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "nvd@nist.gov", "type": "Primary"}]}