XML External Entity Attack in Python Libraries Used by OpenStack and Django
CVE-2013-1665

Currently unrated

Key Information:

Vendor: Openstack
Status: Keystone Essex; Folsom
Vendor: CVE Published:; 3 April 2013

Summary

The XML libraries across multiple Python versions, including 2.6 to 3.4, used within OpenStack Keystone and Django can be exploited through an XML External Entity (XXE) attack. This vulnerability allows remote attackers to access arbitrary files on the server by crafting malicious XML payloads that exploit entity references. Consequently, this may lead to information leakage and further expose systems relying on these libraries to additional threats.

References

http://www.openwall.com/lists/oss-security/2013/02/19/4

mailing-listx_refsource_MLIST

http://lists.openstack.org/pipermail/openstack-announce/2...

mailing-listx_refsource_MLIST

http://rhn.redhat.com/errata/RHSA-2013-0658.html

vendor-advisoryx_refsource_REDHAT

Timeline

Vulnerability published
Apr 3, 2013
Vulnerability Reserved
Feb 13, 2013