XML Entity Expansion Vulnerability in OpenStack Cinder by Rackspace
CVE-2013-4202

Currently unrated

Key Information:

Vendor: Openstack
Status: Cinder
Vendor: CVE Published:; 16 September 2013

Summary

The OpenStack Cinder service contains vulnerabilities in its backup and volume transfer APIs that allow remote attackers to exploit XML Entity Expansion (XEE) attacks. Specifically, versions 2013.1.3 and earlier are susceptible to denial of service, resulting in resource exhaustion leading to service crashes. This issue highlights the importance of consistent security practices, as it stems from an incomplete mitigation of prior vulnerabilities. Mitigation strategies are essential to safeguard against such attacks, protecting system resources and maintaining service availability.

References

http://rhn.redhat.com/errata/RHSA-2013-1198.html

vendor-advisoryx_refsource_REDHAT

https://bugs.launchpad.net/ossa/+bug/1190229

x_refsource_CONFIRM

http://www.ubuntu.com/usn/USN-2005-1

vendor-advisoryx_refsource_UBUNTU

Timeline

Vulnerability published
Sep 16, 2013
Vulnerability Reserved
Jun 12, 2013