CVE-2013-1664

medium

Published 2013-04-03 · Modified 2024-12-06

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

5.0

Description

The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex, Folsom, and Grizzly; Compute (Nova) Essex and Folsom; Cinder Folsom; Django; and possibly other products allow remote attackers to cause a denial of service (resource consumption and crash) via an XML Entity Expansion (XEE) attack.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

Mitigation details

Source: Debian Security Tracker · View original ↗ · DFSG

CVE-2013-1664 NameCVE-2013-1664 DescriptionThe XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex, Folsom, and Grizzly; Compute (Nova) Essex and Folsom; Cinder Folsom; Django; and possibly other products allow remote attackers to cause a denial of service (resource consumption and crash) via an XML Entity Expansion (XEE) attack. SourceCVE (at NVD; CERT,…

CVE-2013-1664

Name	CVE-2013-1664
Description	The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex, Folsom, and Grizzly; Compute (Nova) Essex and Folsom; Cinder Folsom; Django; and possibly other products allow remote attackers to cause a denial of service (resource consumption and crash) via an XML Entity Expansion (XEE) attack.
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs	700948, 700949, 700950

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
cinder (PTS)	bullseye	2:17.0.1-1+deb11u1	fixed
	bullseye (security)	2:17.4.0-1~deb11u2	fixed
	bookworm, bookworm (security)	2:21.3.1-1~deb12u1	fixed
	trixie	2:26.0.0-2	fixed
	forky, sid	2:28.0.0-1	fixed
keystone (PTS)	bullseye	2:18.0.0-3+deb11u1	fixed
	bullseye (security)	2:18.1.0-1+deb11u3	fixed
	bookworm, bookworm (security)	2:22.0.2-0+deb12u1	fixed
	trixie (security), trixie	2:27.0.0-3+deb13u1	fixed
	forky, sid	2:29.0.1-1	fixed
nova (PTS)	bullseye	2:22.0.1-2+deb11u1	fixed
	bullseye (security)	2:22.4.0-1~deb11u7	fixed
	bookworm, bookworm (security)	2:26.2.2-1~deb12u4	fixed
	trixie (security), trixie	2:31.0.0-6+deb13u2	fixed
	forky	2:33.0.1-1	fixed
	sid	2:33.0.1-2	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Debian Bugs
cinder	source	(unstable)	2012.2.3-1	700950
keystone	source	(unstable)	2012.1.1-13	700948
nova	source	(unstable)	2012.1.1-13	700949

Home - Debian Security - Source (Git)

OS impact

Debian Fixed 5 releases

Version	Status	Fixed in
trixie	Fixed	`2012.2.3-1`
sid	Fixed	`2012.2.3-1`
forky	Fixed	`2012.2.3-1`
bullseye	Fixed	`2012.2.3-1`
bookworm	Fixed	`2012.2.3-1`

Package impact

Ecosystem	Package	Vulnerable	Fixed
PyPI	django	`>=1.3.0,<1.3.6`	`1.3.6`
PyPI	django	`>=1.4.0,<1.4.4`	`1.4.4`

Application impact

Vendor	Product	Versions
openstack	cinder_folsom	`-`
openstack	compute_\(nova\)_essex	`-`
openstack	compute_\(nova\)_folsom	`-`
openstack	folsom	`-`
openstack	grizzly	`-`
openstack	keystone_essex	`-`

References

CWEs

CWE-119

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.