CVE-2013-1665

Openstack Folsom < 1.3.6 - Information Disclosure

Title source: rule

Description

The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex and Folsom, Django, and possibly other products allow remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity (XXE) attack.

References (11)

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2013-0657.html

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2013-0658.html

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2013-0670.html

[Various Sources] http://blog.python.org/2013/02/announcing-defusedxml-fixes-for-xml.html

[Various Sources] http://bugs.python.org/issue17239

[Vendor Advisory] http://lists.openstack.org/pipermail/openstack-announce/2013-February/000078.html

[Various Sources] http://ubuntu.com/usn/usn-1757-1

[Third Party Advisory] http://www.debian.org/security/2013/dsa-2634

[Patch] https://bugs.launchpad.net/keystone/+bug/1100279

[Mailing List] http://www.openwall.com/lists/oss-security/2013/02/19/2

[Mailing List] http://www.openwall.com/lists/oss-security/2013/02/19/4

Scores

EPSS 0.0300

EPSS Percentile 86.4%

Classification

CWE

CWE-200

Status draft

Affected Products (3)

openstack/folsom

openstack/keystone_essex

pypi/Django < 1.3.6PyPI

Timeline

Published Apr 03, 2013

Tracked Since Feb 18, 2026