Skip to content

OpenStack Cinder Denial of Service using XML entities

Moderate severity GitHub Reviewed Published May 14, 2022 to the GitHub Advisory Database • Updated May 14, 2024

Package

pip cinder (pip)

Affected versions

< 7.0.0a0

Patched versions

7.0.0a0

Description

The (1) backup (api/contrib/backups.py) and (2) volume transfer (contrib/volume_transfer.py) APIs in OpenStack Cinder Grizzly 2013.1.3 and earlier allows remote attackers to cause a denial of service (resource consumption and crash) via an XML Entity Expansion (XEE) attack. NOTE: this issue is due to an incomplete fix for CVE-2013-1664.

References

Published by the National Vulnerability Database Sep 16, 2013
Published to the GitHub Advisory Database May 14, 2022
Reviewed May 14, 2024
Last updated May 14, 2024

Severity

Moderate

EPSS score

0.491%
(76th percentile)

Weaknesses

No CWEs

CVE ID

CVE-2013-4202

GHSA ID

GHSA-mfg4-9xf4-f45q

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.