Vulnerability Details : CVE-2013-1664
The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex, Folsom, and Grizzly; Compute (Nova) Essex and Folsom; Cinder Folsom; Django; and possibly other products allow remote attackers to cause a denial of service (resource consumption and crash) via an XML Entity Expansion (XEE) attack.
Vulnerability category: OverflowDenial of service
Exploit prediction scoring system (EPSS) score for CVE-2013-1664
Probability of exploitation activity in the next 30 days: 8.96%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 94 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2013-1664
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:N/A:P |
10.0
|
2.9
|
NIST |
CWE ids for CVE-2013-1664
-
The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.Assigned by: nvd@nist.gov (Primary)
References for CVE-2013-1664
-
http://rhn.redhat.com/errata/RHSA-2013-0657.html
RHSA-2013:0657 - Security Advisory - Red Hat Customer Portal
-
http://rhn.redhat.com/errata/RHSA-2013-0670.html
RHSA-2013:0670 - Security Advisory - Red Hat Customer Portal
-
http://www.openwall.com/lists/oss-security/2013/02/19/2
oss-security - [OSSA 2013-004] Information leak and Denial of Service using XML entities (CVE-2013-1664, CVE-2013-1665)
-
http://blog.python.org/2013/02/announcing-defusedxml-fixes-for-xml.html
Python Insider: Announcing defusedxml, Fixes for XML Security Issues
-
https://bugs.launchpad.net/nova/+bug/1100282
Bug #1100282 “[OSSA 2013-004] DoS through XML entity expansion (...” : Bugs : OpenStack Compute (nova)Exploit
-
http://bugs.python.org/issue17239
Issue 17239: XML vulnerabilities in Python - Python tracker
-
http://www.openwall.com/lists/oss-security/2013/02/19/4
oss-security - REJECT CVE-2013-0278, CVE-2013-0279 and CVE-2013-0280
-
http://lists.openstack.org/pipermail/openstack-announce/2013-February/000078.html
OpenStack Open Source Cloud Computing Software » Message: [openstack-announce] [OSSA 2013-004] Information leak and Denial of Service using XML entities (CVE-2013-1664, CVE-2013-1665)Vendor Advisory
-
http://rhn.redhat.com/errata/RHSA-2013-0658.html
RHSA-2013:0658 - Security Advisory - Red Hat Customer Portal
-
http://ubuntu.com/usn/usn-1757-1
USN-1757-1: Django vulnerabilities | Ubuntu security notices
Products affected by CVE-2013-1664
- cpe:2.3:a:openstack:folsom:-:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:grizzly:-:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:keystone_essex:-:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:compute_\(nova\)_essex:-:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:compute_\(nova\)_folsom:-:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:cinder_folsom:-:*:*:*:*:*:*:*