{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2013-02-19T00:00:00", "descriptions": [{"lang": "en", "value": "The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex and Folsom, Django, and possibly other products allow remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity (XXE) attack."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2013-04-11T09:00:00", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "[oss-security] 20130219 REJECT CVE-2013-0278, CVE-2013-0279 and CVE-2013-0280", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2013/02/19/4"}, {"name": "[openstack-announce] 20130219 [OSSA 2013-004] Information leak and Denial of Service using XML entities (CVE-2013-1664, CVE-2013-1665)", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://lists.openstack.org/pipermail/openstack-announce/2013-February/000078.html"}, {"name": "RHSA-2013:0658", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0658.html"}, {"name": "[oss-security] 20130219 [OSSA 2013-004] Information leak and Denial of Service using XML entities (CVE-2013-1664, CVE-2013-1665)", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2013/02/19/2"}, {"name": "USN-1757-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://ubuntu.com/usn/usn-1757-1"}, {"name": "RHSA-2013:0657", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0657.html"}, {"name": "DSA-2634", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2013/dsa-2634"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://blog.python.org/2013/02/announcing-defusedxml-fixes-for-xml.html"}, {"name": "RHSA-2013:0670", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0670.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://bugs.python.org/issue17239"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugs.launchpad.net/keystone/+bug/1100279"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2013-1665", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex and Folsom, Django, and possibly other products allow remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity (XXE) attack."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "[oss-security] 20130219 REJECT CVE-2013-0278, CVE-2013-0279 and CVE-2013-0280", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2013/02/19/4"}, {"name": "[openstack-announce] 20130219 [OSSA 2013-004] Information leak and Denial of Service using XML entities (CVE-2013-1664, CVE-2013-1665)", "refsource": "MLIST", "url": "http://lists.openstack.org/pipermail/openstack-announce/2013-February/000078.html"}, {"name": "RHSA-2013:0658", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2013-0658.html"}, {"name": "[oss-security] 20130219 [OSSA 2013-004] Information leak and Denial of Service using XML entities (CVE-2013-1664, CVE-2013-1665)", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2013/02/19/2"}, {"name": "USN-1757-1", "refsource": "UBUNTU", "url": "http://ubuntu.com/usn/usn-1757-1"}, {"name": "RHSA-2013:0657", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2013-0657.html"}, {"name": "DSA-2634", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2013/dsa-2634"}, {"name": "http://blog.python.org/2013/02/announcing-defusedxml-fixes-for-xml.html", "refsource": "CONFIRM", "url": "http://blog.python.org/2013/02/announcing-defusedxml-fixes-for-xml.html"}, {"name": "RHSA-2013:0670", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2013-0670.html"}, {"name": "http://bugs.python.org/issue17239", "refsource": "CONFIRM", "url": "http://bugs.python.org/issue17239"}, {"name": "https://bugs.launchpad.net/keystone/+bug/1100279", "refsource": "CONFIRM", "url": "https://bugs.launchpad.net/keystone/+bug/1100279"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T15:13:31.595Z"}, "title": "CVE Program Container", "references": [{"name": "[oss-security] 20130219 REJECT CVE-2013-0278, CVE-2013-0279 and CVE-2013-0280", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2013/02/19/4"}, {"name": "[openstack-announce] 20130219 [OSSA 2013-004] Information leak and Denial of Service using XML entities (CVE-2013-1664, CVE-2013-1665)", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://lists.openstack.org/pipermail/openstack-announce/2013-February/000078.html"}, {"name": "RHSA-2013:0658", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0658.html"}, {"name": "[oss-security] 20130219 [OSSA 2013-004] Information leak and Denial of Service using XML entities (CVE-2013-1664, CVE-2013-1665)", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2013/02/19/2"}, {"name": "USN-1757-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "http://ubuntu.com/usn/usn-1757-1"}, {"name": "RHSA-2013:0657", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0657.html"}, {"name": "DSA-2634", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.debian.org/security/2013/dsa-2634"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://blog.python.org/2013/02/announcing-defusedxml-fixes-for-xml.html"}, {"name": "RHSA-2013:0670", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0670.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://bugs.python.org/issue17239"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugs.launchpad.net/keystone/+bug/1100279"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2013-1665", "datePublished": "2013-04-03T00:00:00", "dateReserved": "2013-02-13T00:00:00", "dateUpdated": "2024-08-06T15:13:31.595Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openstack:folsom:-:*:*:*:*:*:*:*", "matchCriteriaId": "F5BA13BC-F088-45AA-AD10-B74F89CE5375", "vulnerable": true}, {"criteria": "cpe:2.3:a:openstack:keystone_essex:-:*:*:*:*:*:*:*", "matchCriteriaId": "FD5F4534-9D98-4F86-898C-EAFB0C4CEDAC", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex and Folsom, Django, and possibly other products allow remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity (XXE) attack."}, {"lang": "es", "value": "OpenStack Keystone Essex y Folsom permite a atacantes remotos leer ficheros arbitrarios a trav\u00e9s de la declaraci\u00f3n de una entidad externa XML junto con una referencia entidad, tambi\u00e9n conocido como un ataque XML External Entity (XXE)."}], "id": "CVE-2013-1665", "lastModified": "2013-05-15T03:35:51.290", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2013-04-03T00:55:02.207", "references": [{"source": "cve@mitre.org", "url": "http://blog.python.org/2013/02/announcing-defusedxml-fixes-for-xml.html"}, {"source": "cve@mitre.org", "url": "http://bugs.python.org/issue17239"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://lists.openstack.org/pipermail/openstack-announce/2013-February/000078.html"}, {"source": "cve@mitre.org", "url": "http://rhn.redhat.com/errata/RHSA-2013-0657.html"}, {"source": "cve@mitre.org", "url": "http://rhn.redhat.com/errata/RHSA-2013-0658.html"}, {"source": "cve@mitre.org", "url": "http://rhn.redhat.com/errata/RHSA-2013-0670.html"}, {"source": "cve@mitre.org", "url": "http://ubuntu.com/usn/usn-1757-1"}, {"source": "cve@mitre.org", "url": "http://www.debian.org/security/2013/dsa-2634"}, {"source": "cve@mitre.org", "url": "http://www.openwall.com/lists/oss-security/2013/02/19/2"}, {"source": "cve@mitre.org", "url": "http://www.openwall.com/lists/oss-security/2013/02/19/4"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://bugs.launchpad.net/keystone/+bug/1100279"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2013:0596", "cpe": "cpe:/a:redhat:openstack:2::el6", "package": "openstack-keystone-0:2012.2.3-3.el6ost", "product_name": "OpenStack Folsom for RHEL 6", "release_date": "2013-03-05T00:00:00Z"}, {"advisory": "RHSA-2013:0657", "cpe": "cpe:/a:redhat:openstack:2::el6", "package": "openstack-nova-0:2012.2.3-4.el6ost", "product_name": "OpenStack Folsom for RHEL 6", "release_date": "2013-03-21T00:00:00Z"}, {"advisory": "RHSA-2013:0658", "cpe": "cpe:/a:redhat:openstack:2::el6", "package": "openstack-cinder-0:2012.2.3-4.el6ost", "product_name": "OpenStack Folsom for RHEL 6", "release_date": "2013-03-21T00:00:00Z"}, {"advisory": "RHSA-2013:0670", "cpe": "cpe:/a:redhat:openstack:2::el6", "package": "Django14-0:1.4.4-1.el6ost", "product_name": "OpenStack Folsom for RHEL 6", "release_date": "2013-03-21T00:00:00Z"}], "bugzilla": {"description": "bindings: External entity expansion in Python XML libraries inflicts potential security flaws and DoS vulnerabilities", "id": "912982", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=912982"}, "csaw": false, "cvss": {"cvss_base_score": "5.8", "cvss_scoring_vector": "AV:N/AC:M/Au:N/C:P/I:N/A:P", "status": "verified"}, "details": ["The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex and Folsom, Django, and possibly other products allow remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity (XXE) attack."], "name": "CVE-2013-1665", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Will not fix", "package_name": "python", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Will not fix", "package_name": "python", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Will not fix", "package_name": "python", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/a:redhat:openstack:2.1", "fix_state": "Affected", "package_name": "Django14", "product_name": "Red Hat OpenStack Platform 2.1"}, {"cpe": "cpe:/a:redhat:openstack:2.1", "fix_state": "Affected", "package_name": "openstack-cinder", "product_name": "Red Hat OpenStack Platform 2.1"}, {"cpe": "cpe:/a:redhat:openstack:2.1", "fix_state": "Affected", "package_name": "openstack-keystone", "product_name": "Red Hat OpenStack Platform 2.1"}, {"cpe": "cpe:/a:redhat:openstack:2.1", "fix_state": "Affected", "package_name": "openstack-nova", "product_name": "Red Hat OpenStack Platform 2.1"}, {"cpe": "cpe:/a:redhat:openstack:1", "fix_state": "Affected", "package_name": "Django14", "product_name": "RHOS Essex Release"}, {"cpe": "cpe:/a:redhat:openstack:1", "fix_state": "Affected", "package_name": "openstack-keystone", "product_name": "RHOS Essex Release"}, {"cpe": "cpe:/a:redhat:openstack:1", "fix_state": "Affected", "package_name": "openstack-nova", "product_name": "RHOS Essex Release"}], "public_date": "2013-02-19T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2013-1665\nhttps://nvd.nist.gov/vuln/detail/CVE-2013-1665"], "statement": "This issue affects the versions of python as shipped with Red Hat Enterprise Linux 5, 6 and 7. Red Hat Product Security has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates.", "threat_severity": "Moderate"}