CVE-2013-1665 — Sensitive Information Exposure in Django

CWE-200 — Sensitive Information Exposure CWE-611 — XML External Entity (XXE) Injection17 documents9 sources

Severity

5.0MEDIUMNVD

EPSS

3.0%

top 13.43%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openstack Keystone Djangoproject Django

Timeline

PublishedApr 3

Latest updateMay 17

Description

The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex and Folsom, Django, and possibly other products allow remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity (XXE) attack.

CVSS vector

AV:N/AC:L/C:P/I:N/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages2 packages

▶Debianopenstack/keystone< 2012.1.1-13+3

▶PyPIdjangoproject/django1.3.0 — 1.3.6+1

Patches

Patch: bugs.launchpad.net ↗Patch: bugs.launchpad.net ↗

🔴Vulnerability Details

OSV

XML External Entity (XXE) in Django↗2022-05-17

▶

GHSA

XML External Entity (XXE) in Django↗2022-05-17

▶

CVEList

CVE-2013-1665: The XML libraries for Python 3↗2013-04-03

▶

OSV

CVE-2013-1665: The XML libraries for Python 3↗2013-04-03

▶

💥Exploits & PoCs

Exploit-DB

ownCloud 6.0.0a - Multiple Vulnerabilities↗2014-02-05

▶

📋Vendor Advisories

Ubuntu

Django vulnerabilities↗2013-03-07

▶

Ubuntu

OpenStack Keystone vulnerabilities↗2013-02-20

▶

Red Hat

bindings: External entity expansion in Python XML libraries inflicts potential security flaws and DoS vulnerabilities↗2013-02-19

▶

Debian

CVE-2013-1665: keystone - The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenSt...↗2013

▶

💬Community

Bugzilla

CVE-2013-1665 Python xml bindings: External entity expansion in Python XML libraries inflicts potential security flaws and DoS vulnerabilities↗2013-02-20

▶

Bugzilla

CVE-2013-1664 CVE-2013-1665 libxml2: DoS (excessive CPU consumption) by performing string substitutions during entities expansion [fedora-all]↗2013-02-20

▶

Bugzilla

CVE-2013-1664 CVE-2013-1665 libxml2: DoS (excessive CPU consumption) by performing string substitutions during entities expansion [fedora-all]↗2013-02-20

▶

Bugzilla

Django: XML entity attacks↗2013-02-20

▶

Bugzilla

CVE-2013-1664 CVE-2013-1665 OpenStack keystone: XML entity parsing↗2013-02-12

▶