[Openstack-devel] Bug#700948: CVE-2013-0280: Information leak and Denial of Service using XML entities
Thomas Goirand
zigo at debian.org
Tue Feb 19 16:01:20 UTC 2013
Package: keystone
Version: 2012.1.1-12
Severity: grave
Tags: security
Jonathan Murray from NCC Group, Joshua Harlow from Yahoo! and Stuart Stent
independently reported a vulnerability in the parsing of XML requests in
Keystone, Nova and Cinder. By using entities in XML requests, an
unauthenticated attacker may consume excessive resources on the Keystone, Nova
or Cinder API servers, resulting in a denial of service and potentially a
crash. Authenticated attackers may also leverage XML entities to read the
content of a local file on the Keystone API server. This only affects servers
with XML support enabled.
Patched package is ready, upload is coming.
Thomas Goirand (zigo)
More information about the Openstack-devel
mailing list