CVE-2013-4202: OpenStack Cinder Denial of Service using XML entities
4.3
CVSS Score
Basic Information
CVE ID
GHSA ID
EPSS Score
0.71399%
CWE
-
Published
5/14/2022
Updated
5/14/2024
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
AV:N/AC:M/Au:N/C:N/I:N/A:P
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
cinder | pip | < 7.0.0a0 | 7.0.0a0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from insecure XML parsing via minidom.parseString in the backup and volume transfer API deserializers. The GitHub patch shows replacements of minidom.parseString with utils.safe_minidom_parse_string in both backups.py and volume_transfer.py. These functions directly parsed untrusted XML input without restricting entity expansion, allowing attackers to trigger resource exhaustion through malicious XML payloads. The commit message explicitly addresses these functions as the fix locations, confirming their vulnerability.