CVE-2013-1665
OpenStack Folsom and Keystone Essex - XML External Entity Injection
Title source: llmDescription
The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex and Folsom, Django, and possibly other products allow remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity (XXE) attack.
References (11)
Core 11
Core References
Vendor Advisory vendor-advisory
x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2013-0658.html
Vendor Advisory vendor-advisory
x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2013-0657.html
Vendor Advisory vendor-advisory
x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2013-0670.html
Vendor Advisory mailing-list
x_refsource_mlist
http://lists.openstack.org/pipermail/openstack-announce/2013-February/000078.html
Various Sources vendor-advisory
x_refsource_ubuntu
http://ubuntu.com/usn/usn-1757-1
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2013/dsa-2634
Mailing List mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2013/02/19/4
Mailing List mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2013/02/19/2
Various Sources x_refsource_confirm
http://blog.python.org/2013/02/announcing-defusedxml-fixes-for-xml.html
Various Sources x_refsource_confirm
http://bugs.python.org/issue17239
Patch x_refsource_confirm
https://bugs.launchpad.net/keystone/+bug/1100279
Scores
EPSS
0.0300
EPSS Percentile
86.7%
Details
CWE
CWE-200
Status
published
Products (3)
openstack/folsom
openstack/keystone_essex
pypi/Django
1.3.0 - 1.3.6PyPI
Published
Apr 03, 2013
Tracked Since
Feb 18, 2026