72 lines
1.9 KiB
YAML
72 lines
1.9 KiB
YAML
advisory-date: 2013-08-08
|
|
|
|
advisory-id: OSSA-2013-023
|
|
|
|
advisory-title: 'Denial of Service using XML entities in Nova/Cinder extensions'
|
|
|
|
advisory-description: 'Grant Murphy from Red Hat reported that vulnerabilities in
|
|
XML request parsers were not fully patched in OSSA 2013-004. By leveraging XML entity
|
|
expansion in specific extensions, an unauthenticated attacker may still consume
|
|
excessive resources on the Nova (CVE-2013-4179) or Cinder (CVE-2013-4202) API servers,
|
|
resulting in a denial of service and potentially a crash. Only Nova setups making
|
|
use of the security group extension in Grizzly are affected. Only Cinder setups
|
|
making use of the backups or volume transfer API extension in Grizzly are affected.'
|
|
|
|
advisory-reference: http://lists.openstack.org/pipermail/openstack-announce/2013-August/000133.html
|
|
|
|
affected-products:
|
|
- product: nova
|
|
version: TODO
|
|
- product: cinder
|
|
version: TODO
|
|
|
|
vulnerabilities:
|
|
- cve-id: CVE-2013-4179
|
|
impact-assessment:
|
|
source: 'Red Hat Product Security'
|
|
rating: moderate
|
|
assessment:
|
|
type: CVSS2
|
|
score: 5.5
|
|
detail: AV:N/AC:L/Au:S/C:N/I:N/A:P
|
|
classification:
|
|
source: 'Red Hat Product Security'
|
|
type: CWE
|
|
detail: TODO
|
|
- cve-id: CVE-2013-4202
|
|
impact-assessment:
|
|
source: 'Red Hat Product Security'
|
|
rating: moderate
|
|
assessment:
|
|
type: CVSS2
|
|
score: 5.0
|
|
detail: AV:N/AC:L/Au:N/C:N/I:N/A:P
|
|
classification:
|
|
source: 'Red Hat Product Security'
|
|
type: CWE
|
|
detail: TODO
|
|
|
|
reporters:
|
|
- name: 'Grant Murphy'
|
|
affiliation: 'Red Hat'
|
|
reported:
|
|
- CVE-2013-4179
|
|
- CVE-2013-4202
|
|
|
|
notes:
|
|
|
|
issues:
|
|
issue-tracking-system-url: https://launchpad.net/bugs/{id}
|
|
issue-tracking-system-type : 'launchpad'
|
|
issue-id:
|
|
- 1190229
|
|
|
|
reviews:
|
|
review-system-url: https://review.openstack.org/#/c/{id}
|
|
review-system-type: 'gerrit'
|
|
review-id:
|
|
- 40879
|
|
- 40881
|
|
- 40880
|
|
- 40883
|