CVE-2013-1665

Description

The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex and Folsom, Django, and possibly other products allow remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity (XXE) attack.

How to fix CVE-2013-1665

To remediate CVE-2013-1665, upgrade the affected package to a fixed version below.

• Debian/keystone—upgrade to 2012.1.1-13 or later
• Debian/python-django—upgrade to 1.4.4-1 or later
• —upgrade to 1.3.6 or later

Is CVE-2013-1665 being exploited?

Low — EPSS is 3.0%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

• from 0, < 2012.1.1-13
• from 0, < 1.4.4-1
• >= 1.3.0, < 1.3.6

References (15)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2013-1665
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2013-1665
• WEBblog.python.org/2013/02/announcing-defusedxml-fixes-for-xml.html
• WEBbugs.python.org/issue17239