Skip to content

OpenStack Compute (Nova) vulnerable to denial of service via XML Entity Expansion attack

Moderate severity GitHub Reviewed Published May 17, 2022 to the GitHub Advisory Database • Updated Feb 8, 2023

Package

pip nova (pip)

Affected versions

<= 2013.1.3

Patched versions

2013.2

Description

The security group extension in OpenStack Compute (Nova) Grizzly 2013.1.3, Havana before havana-3, and earlier allows remote attackers to cause a denial of service (resource consumption and crash) via an XML Entity Expansion (XEE) attack. NOTE: this issue is due to an incomplete fix for CVE-2013-1664.

References

Published by the National Vulnerability Database Sep 16, 2013
Published to the GitHub Advisory Database May 17, 2022
Reviewed Feb 8, 2023
Last updated Feb 8, 2023

Severity

Moderate

EPSS score

0.599%
(78th percentile)

Weaknesses

CVE ID

CVE-2013-4179

GHSA ID

GHSA-j6xh-q826-55jw
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.