CVE-2013-1664
medium
CVSS v3
—
CVSS v2
5.0
VIR risk
5.0
Description
XML Entity Expansion (XEE) in Django
Predictions
Exploit likelihood
20%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2013-1664
Vendor advisory: cve@mitre.org — http://lists.openstack.org/pipermail/openstack-announce/2013-February/000078.html
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | bookworm | fixed | 2012.2.3-1 |
| debian | bullseye | fixed | 2012.2.3-1 |
| debian | forky | fixed | 2012.2.3-1 |
| debian | sid | fixed | 2012.2.3-1 |
| debian | trixie | fixed | 2012.2.3-1 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| openstack | cinder_folsom | - | |
| openstack | compute_\(nova\)_essex | - | |
| openstack | compute_\(nova\)_folsom | - | |
| openstack | folsom | - | |
| openstack | grizzly | - | |
| openstack | keystone_essex | - | |
References
- http://blog.python.org/2013/02/announcing-defusedxml-fixes-for-xml.html
- http://bugs.python.org/issue17239
- http://lists.openstack.org/pipermail/openstack-announce/2013-February/000078.html
- http://rhn.redhat.com/errata/RHSA-2013-0657.html
- http://rhn.redhat.com/errata/RHSA-2013-0658.html
- http://rhn.redhat.com/errata/RHSA-2013-0670.html
- http://ubuntu.com/usn/usn-1757-1
- http://www.openwall.com/lists/oss-security/2013/02/19/2
- http://www.openwall.com/lists/oss-security/2013/02/19/4
- https://bugs.launchpad.net/nova/+bug/1100282
- https://nvd.nist.gov/vuln/detail/CVE-2013-1664
- https://github.com/django/django/commit/1c60d07ba23e0350351c278ad28d0bd5aa410b40
- https://github.com/django/django/commit/d19a27066b2247102e65412aa66917aff0091112
- https://github.com/django/django
- https://security-tracker.debian.org/tracker/CVE-2013-1664
CWEs
CWE-119
Verify integrity in audit chain (admin only). AS-IS.