Incomplete Fix for XML Entity Expansion (XEE) Attack in OpenStack Cinder Grizzly 2013.1.3 and Earlier

Incomplete Fix for XML Entity Expansion (XEE) Attack in OpenStack Cinder Grizzly 2013.1.3 and Earlier

CVE-2013-4202 · MEDIUM Severity

AV:N/AC:M/AU:N/C:N/I:N/A:P

The (1) backup (api/contrib/backups.py) and (2) volume transfer (contrib/volume_transfer.py) APIs in OpenStack Cinder Grizzly 2013.1.3 and earlier allows remote attackers to cause a denial of service (resource consumption and crash) via an XML Entity Expansion (XEE) attack. NOTE: this issue is due to an incomplete fix for CVE-2013-1664.

Learn more about our Api Penetration Testing.