CVE-2013-1665
bindings: External entity expansion in Python XML libraries inflicts potential security flaws and DoS vulnerabilities
Severity Score
5.0
*CVSS v2
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex and Folsom, Django, and possibly other products allow remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity (XXE) attack.
OpenStack Keystone Essex y Folsom permite a atacantes remotos leer ficheros arbitrarios a través de la declaración de una entidad externa XML junto con una referencia entidad, también conocido como un ataque XML External Entity (XXE).
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2013-02-13 CVE Reserved
- 2013-02-21 CVE Published
- 2023-03-07 EPSS Updated
- 2024-08-06 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CAPEC
References (13)
| URL | Tag | Source |
|---|---|---|
| http://blog.python.org/2013/02/announcing-defusedxml-fixes-for-xml.html | X_refsource_confirm | |
| http://bugs.python.org/issue17239 | X_refsource_confirm | |
| http://www.openwall.com/lists/oss-security/2013/02/19/2 | Mailing List |
|
| http://www.openwall.com/lists/oss-security/2013/02/19/4 | Mailing List |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://bugs.launchpad.net/keystone/+bug/1100279 | 2013-05-15 |
| URL | Date | SRC |
|---|---|---|
| http://lists.openstack.org/pipermail/openstack-announce/2013-February/000078.html | 2013-05-15 | |
| http://rhn.redhat.com/errata/RHSA-2013-0657.html | 2013-05-15 | |
| http://rhn.redhat.com/errata/RHSA-2013-0658.html | 2013-05-15 | |
| http://rhn.redhat.com/errata/RHSA-2013-0670.html | 2013-05-15 | |
| http://ubuntu.com/usn/usn-1757-1 | 2013-05-15 | |
| http://www.debian.org/security/2013/dsa-2634 | 2013-05-15 | |
| https://access.redhat.com/security/cve/CVE-2013-1665 | 2013-03-21 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=912982 | 2013-03-21 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Openstack Search vendor "Openstack" | Folsom Search vendor "Openstack" for product "Folsom" | - | - |
Affected
| ||||||
| Openstack Search vendor "Openstack" | Keystone Essex Search vendor "Openstack" for product "Keystone Essex" | - | - |
Affected
| ||||||