CVE-2013-1664Improper Restriction of Operations within the Bounds of a Memory Buffer in Django

CWE-119Improper Restriction of Operations within the Bounds of a Memory BufferCWE-611XML External Entity (XXE) InjectionCWE-776XML Entity Expansion22 documents8 sources
Severity
5.0MEDIUMNVD
EPSS
3.9%
top 11.65%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Openstack CinderOpenstack KeystoneOpenstack Nova+1 more
Timeline
PublishedApr 3
Latest updateMay 17

Description

The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex, Folsom, and Grizzly; Compute (Nova) Essex and Folsom; Cinder Folsom; Django; and possibly other products allow remote attackers to cause a denial of service (resource consumption and crash) via an XML Entity Expansion (XEE) attack.

CVSS vector

AV:N/AC:L/C:N/I:N/A:PExploitability: 10.0 | Impact: 2.9

Affected Packages4 packages

Debianopenstack/nova< 2012.1.1-13+3
Debianopenstack/cinder< 2012.2.3-1+3
Debianopenstack/keystone< 2012.1.1-13+3
PyPIdjangoproject/django1.3.01.3.6+1

🔴Vulnerability Details

6
GHSA
XML Entity Expansion (XEE) in Django2022-05-17
OSV
XML Entity Expansion (XEE) in Django2022-05-17
GHSA
OpenStack Compute (Nova) vulnerable to denial of service via XML Entity Expansion attack2022-05-17
GHSA
OpenStack Cinder Denial of Service using XML entities2022-05-14
OSV
CVE-2013-1664: The XML libraries for Python 32013-04-03

📋Vendor Advisories

8
Red Hat
OpenStack: Nova XML entities DoS2013-08-08
Red Hat
OpenStack: Cinder Denial of Service using XML entities2013-08-08
Ubuntu
Django vulnerabilities2013-03-07
Ubuntu
OpenStack Cinder vulnerability2013-02-21
Ubuntu
OpenStack Nova vulnerability2013-02-21

💬Community

7
Bugzilla
CVE-2013-1664 Python xml bindings: Internal entity expansion in Python XML libraries inflicts DoS vulnerabilities2013-02-22
Bugzilla
CVE-2013-1664 CVE-2013-1665 libxml2: DoS (excessive CPU consumption) by performing string substitutions during entities expansion [fedora-all]2013-02-20
Bugzilla
CVE-2013-1664 CVE-2013-1665 libxml2: DoS (excessive CPU consumption) by performing string substitutions during entities expansion [fedora-all]2013-02-20
Bugzilla
Django: XML entity attacks2013-02-20
Bugzilla
CVE-2013-1664 CVE-2013-1665 OpenStack keystone: XML entity parsing2013-02-12
CVE-2013-1664 — Djangoproject Django vulnerability | cvebase