Vulnerability Details : CVE-2013-1915
ModSecurity before 2.7.3 allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity (XXE) vulnerability.
Vulnerability category: XML external entity (XXE) injectionDenial of service
Products affected by CVE-2013-1915
- cpe:2.3:o:debian:debian_linux:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:17:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:18:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:19:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:opensuse:11.4:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:opensuse:12.2:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:opensuse:12.3:*:*:*:*:*:*:*
- cpe:2.3:a:trustwave:modsecurity:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2013-1915
0.89%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 81 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2013-1915
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST |
CWE ids for CVE-2013-1915
-
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.Assigned by: nvd@nist.gov (Primary)
References for CVE-2013-1915
-
http://www.mandriva.com/security/advisories?name=MDVSA-2013:156
mandriva.comThird Party Advisory
-
https://github.com/SpiderLabs/ModSecurity/blob/master/CHANGES
Page not found · GitHub · GitHubRelease Notes;Third Party Advisory
-
http://www.openwall.com/lists/oss-security/2013/04/03/7
oss-security - Re: CVE Request -- ModSecurity (X < 2.7.3): Vulnerable to XXE attacksMailing List;Patch;Third Party Advisory
-
http://lists.opensuse.org/opensuse-updates/2013-08/msg00025.html
openSUSE-SU-2013:1336-1: moderate: update for apache2-mod_security2Mailing List;Third Party Advisory
-
http://lists.fedoraproject.org/pipermail/package-announce/2013-April/102616.html
[SECURITY] Fedora 19 Update: mod_security-2.7.3-1.fc19Third Party Advisory
-
http://lists.opensuse.org/opensuse-updates/2013-08/msg00031.html
openSUSE-SU-2013:1342-1: moderate: update for apache2-mod_security2Mailing List;Third Party Advisory
-
http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101911.html
[SECURITY] Fedora 18 Update: mod_security-2.7.3-1.fc18Third Party Advisory
-
http://www.debian.org/security/2013/dsa-2659
Debian -- Security Information -- DSA-2659-1 libapache-mod-securityThird Party Advisory
-
https://github.com/SpiderLabs/ModSecurity/commit/d4d80b38aa85eccb26e3c61b04d16e8ca5de76fe
Added SecXmlExternalEntity · SpiderLabs/ModSecurity@d4d80b3 · GitHubPatch;Third Party Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=947842
947842 – (CVE-2013-1915) CVE-2013-1915 mod_security: Vulnerable to XXE attacksIssue Tracking;Patch;Third Party Advisory
-
http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101898.html
[SECURITY] Fedora 17 Update: mod_security-2.7.3-1.fc17Third Party Advisory
-
http://www.securityfocus.com/bid/58810
ModSecurity XML External Entity Information Disclosure VulnerabilityThird Party Advisory;VDB Entry
-
http://lists.opensuse.org/opensuse-updates/2013-08/msg00020.html
openSUSE-SU-2013:1331-1: moderate: update for apache2-mod_security2Mailing List;Third Party Advisory
Jump to