Vulnerability Details : CVE-2013-1665
The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex and Folsom, Django, and possibly other products allow remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity (XXE) attack.
Vulnerability category: XML external entity (XXE) injectionInformation leak
Products affected by CVE-2013-1665
- cpe:2.3:a:openstack:folsom:-:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:keystone_essex:-:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2013-1665
0.29%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 65 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2013-1665
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST |
CWE ids for CVE-2013-1665
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: nvd@nist.gov (Primary)
References for CVE-2013-1665
-
http://rhn.redhat.com/errata/RHSA-2013-0657.html
RHSA-2013:0657 - Security Advisory - Red Hat Customer Portal
-
http://rhn.redhat.com/errata/RHSA-2013-0670.html
RHSA-2013:0670 - Security Advisory - Red Hat Customer Portal
-
http://www.openwall.com/lists/oss-security/2013/02/19/2
oss-security - [OSSA 2013-004] Information leak and Denial of Service using XML entities (CVE-2013-1664, CVE-2013-1665)
-
http://blog.python.org/2013/02/announcing-defusedxml-fixes-for-xml.html
Python Insider: Announcing defusedxml, Fixes for XML Security Issues
-
https://bugs.launchpad.net/keystone/+bug/1100279
Bug #1100279 “[OSSA 2013-004] Local file leak through entities i...” : Bugs : OpenStack Identity (keystone)Patch
-
http://bugs.python.org/issue17239
Issue 17239: XML vulnerabilities in Python - Python tracker
-
http://www.openwall.com/lists/oss-security/2013/02/19/4
oss-security - REJECT CVE-2013-0278, CVE-2013-0279 and CVE-2013-0280
-
http://lists.openstack.org/pipermail/openstack-announce/2013-February/000078.html
OpenStack Open Source Cloud Computing Software » Message: [openstack-announce] [OSSA 2013-004] Information leak and Denial of Service using XML entities (CVE-2013-1664, CVE-2013-1665)Vendor Advisory
-
http://rhn.redhat.com/errata/RHSA-2013-0658.html
RHSA-2013:0658 - Security Advisory - Red Hat Customer Portal
-
http://ubuntu.com/usn/usn-1757-1
USN-1757-1: Django vulnerabilities | Ubuntu security notices
-
http://www.debian.org/security/2013/dsa-2634
Debian -- Security Information -- DSA-2634-1 python-django
Jump to