Vulnerability CVE-2013-1665

Vulnerability Name:

CVE-2013-1665 (CCN-82203)

Assigned:

2013-02-20

Published:

2013-02-20

Updated:

2013-05-15

Summary:

The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex and Folsom, Django, and possibly other products allow remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity (XXE) attack.

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): None Availibility (A): None

CVSS v2 Severity:

5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)
3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

Vulnerability Type:

CWE-200

Vulnerability Consequences:

Obtain Information

References:

Source: CONFIRM
Type: UNKNOWN
http://blog.python.org/2013/02/announcing-defusedxml-fixes-for-xml.html

Source: CONFIRM
Type: UNKNOWN
http://bugs.python.org/issue17239

Source: MITRE
Type: CNA
CVE-2013-1665

Source: CCN
Type: OpenStack Security Advisory: 2013-004
Information leak and Denial of Service using XML entities

Source: MLIST
Type: Vendor Advisory
[openstack-announce] 20130219 [OSSA 2013-004] Information leak and Denial of Service using XML entities (CVE-2013-1664, CVE-2013-1665)

Source: REDHAT
Type: UNKNOWN
RHSA-2013:0657

Source: REDHAT
Type: UNKNOWN
RHSA-2013:0658

Source: REDHAT
Type: UNKNOWN
RHSA-2013:0670

Source: CCN
Type: SA52224
OpenStack Keystone and Compute (Nova) Two Vulnerabilities

Source: CCN
Type: SA52243
Django Multiple Vulnerabilities

Source: UBUNTU
Type: UNKNOWN
USN-1757-1

Source: DEBIAN
Type: UNKNOWN
DSA-2634

Source: DEBIAN
Type: DSA-2634
python-django -- several vulnerabilities

Source: MLIST
Type: UNKNOWN
[oss-security] 20130219 [OSSA 2013-004] Information leak and Denial of Service using XML entities (CVE-2013-1664, CVE-2013-1665)

Source: MLIST
Type: UNKNOWN
[oss-security] 20130219 REJECT CVE-2013-0278, CVE-2013-0279 and CVE-2013-0280

Source: CCN
Type: BID-58022
Multiple OpenStack Products CVE-2013-1665 XML External Entity Information Disclosure Vulnerability

Source: CCN
Type: BID-58061
Django Formsets Denial of Service Vulnerability

Source: CONFIRM
Type: Patch
https://bugs.launchpad.net/keystone/+bug/1100279

Source: XF
Type: UNKNOWN
django-keystone-xml-info-disc(82203)

Source: CCN
Type: Django Web site
Security releases issued

Vulnerable Configuration:

Configuration 1:

cpe:/a:openstack:folsom:-:*:*:*:*:*:*:*

OR cpe:/a:openstack:keystone_essex:-:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:djangoproject:django:1.3:*:*:*:*:*:*:*

OR cpe:/a:djangoproject:django:1.4:*:*:*:*:*:*:*

OR cpe:/a:openstack:keystone:2012.1:*:*:*:*:*:*:*

OR cpe:/a:djangoproject:django:1.5:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:20131665	V	CVE-2013-1665	2015-11-16
oval:org.mitre.oval:def:17354	P	USN-1730-1 -- OpenStack Keystone vulnerabilities	2014-06-30
oval:org.mitre.oval:def:18138	P	USN-1757-1 -- python-django vulnerabilities	2014-06-30
oval:org.mitre.oval:def:19205	P	DSA-2634-1 python-django - several vulnerabilities	2014-06-23
oval:com.ubuntu.precise:def:20131665000	V	CVE-2013-1665 on Ubuntu 12.04 LTS (precise) - medium.	2013-04-02

BACK