73 lines
2.3 KiB
JSON
73 lines
2.3 KiB
JSON
{
|
|
"advisory": {
|
|
"date": "2013-02-19",
|
|
"description": "Jonathan Murray from NCC Group, Joshua Harlow from Yahoo! and Stuart Stent independently reported a vulnerabilities in the parsing of XML requests in Python XML libraries used in Keystone, Nova and Cinder. By using entities in XML requests, an unauthenticated attacker may consume excessive resources on the Keystone, Nova or Cinder API servers, resulting in a denial of service and potentially a crash (CVE-2013-1664). Authenticated attackers may also leverage XML entities to read the content of a local file on the Keystone API server (CVE-2013-1665). This only affects servers with XML support enabled.",
|
|
"id": "2013-004",
|
|
"title": "Information leak and Denial of Service using XML entities",
|
|
"url": "http://lists.openstack.org/pipermail/openstack-announce/2013-February/000078.html"
|
|
},
|
|
"affects": [
|
|
{
|
|
"product": "keystone",
|
|
"version": "TODO"
|
|
},
|
|
{
|
|
"product": "nova",
|
|
"version": "TODO"
|
|
},
|
|
{
|
|
"product": "cinder",
|
|
"version": "TODO"
|
|
}
|
|
],
|
|
"bugs": [
|
|
"1100282",
|
|
"1100279"
|
|
],
|
|
"notes": "",
|
|
"reporters": [
|
|
{
|
|
"company": "NCC Group",
|
|
"name": "Jonathan Murray"
|
|
},
|
|
{
|
|
"company": "Yahoo!",
|
|
"name": "Joshua Harlow"
|
|
},
|
|
{
|
|
"company": "UNKNOWN",
|
|
"name": "StuartStent"
|
|
}
|
|
],
|
|
"reviews": [
|
|
"22309",
|
|
"22310",
|
|
"22315",
|
|
"22312",
|
|
"22311",
|
|
"22314",
|
|
"22313",
|
|
"22316"
|
|
],
|
|
"schema_version": 1,
|
|
"vulnerabilities": [
|
|
{
|
|
"cve": "CVE-2013-1664",
|
|
"cvss": {
|
|
"base_score": "4.3",
|
|
"scoring_vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"
|
|
},
|
|
"cwe": "TODO",
|
|
"impact": "moderate"
|
|
},
|
|
{
|
|
"cve": "CVE-2013-1665",
|
|
"cvss": {
|
|
"base_score": "5.8",
|
|
"scoring_vector": "AV:N/AC:M/Au:N/C:P/I:N/A:P"
|
|
},
|
|
"cwe": "TODO",
|
|
"impact": "moderate"
|
|
}
|
|
]
|
|
} |