CVE-2013-4179XML Entity Expansion in Nova

CWE-776XML Entity ExpansionCWE-119Improper Restriction of Operations within the Bounds of a Memory Buffer12 documents8 sources
Severity
4.3MEDIUMNVD
CNA5.0GHSA5.0OSV5.0
EPSS
0.7%
top 28.64%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Openstack NovaOpenstack HavanaOpenstack Compute
Timeline
PublishedSep 16
Latest updateMay 17

Description

The security group extension in OpenStack Compute (Nova) Grizzly 2013.1.3, Havana before havana-3, and earlier allows remote attackers to cause a denial of service (resource consumption and crash) via an XML Entity Expansion (XEE) attack. NOTE: this issue is due to an incomplete fix for CVE-2013-1664.

CVSS vector

AV:N/AC:M/C:N/I:N/A:PExploitability: 8.6 | Impact: 2.9

Affected Packages4 packages

NVDopenstack/havanahavana-2+1
PyPIopenstack/nova< 2013.2
Debianopenstack/nova< 2013.1.3-1+3
NVDopenstack/compute2013.1.3

Patches

Patch: rhn.redhat.comPatch: rhn.redhat.com

🔴Vulnerability Details

4
OSV
OpenStack Compute (Nova) vulnerable to denial of service via XML Entity Expansion attack2022-05-17
GHSA
OpenStack Compute (Nova) vulnerable to denial of service via XML Entity Expansion attack2022-05-17
CVEList
CVE-2013-4179: The security group extension in OpenStack Compute (Nova) Grizzly 20132013-09-16
OSV
CVE-2013-4179: The security group extension in OpenStack Compute (Nova) Grizzly 20132013-09-16

📋Vendor Advisories

4
Ubuntu
Cinder vulnerabilities2013-10-23
Ubuntu
Nova vulnerabilities2013-10-23
Red Hat
OpenStack: Nova XML entities DoS2013-08-08
Debian
CVE-2013-4179: nova - The security group extension in OpenStack Compute (Nova) Grizzly 2013.1.3, Havan...2013

💬Community

3
Bugzilla
CVE-2013-4179 openstack-nova: OpenStack: Nova XML entities DoS [fedora-all]2013-08-08
Bugzilla
CVE-2013-4179 openstack-nova: OpenStack: Nova XML entities DoS [epel-6]2013-08-08
Bugzilla
CVE-2013-4179 OpenStack: Nova XML entities DoS2013-07-29
CVE-2013-4179 — XML Entity Expansion in Openstack Nova | cvebase