Miggo Logo

CVE-2013-4202: OpenStack Cinder Denial of Service using XML entities

4.3

CVSS Score

Basic Information

EPSS Score
0.71399%
CWE
-
Published
5/14/2022
Updated
5/14/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
AV:N/AC:M/Au:N/C:N/I:N/A:P
Package NameEcosystemVulnerable VersionsFirst Patched Version
cinderpip< 7.0.0a07.0.0a0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from insecure XML parsing via minidom.parseString in the backup and volume transfer API deserializers. The GitHub patch shows replacements of minidom.parseString with utils.safe_minidom_parse_string in both backups.py and volume_transfer.py. These functions directly parsed untrusted XML input without restricting entity expansion, allowing attackers to trigger resource exhaustion through malicious XML payloads. The commit message explicitly addresses these functions as the fix locations, confirming their vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** (*) ***kup (*pi/*ontri*/***kups.py) *n* (*) volum* tr*ns**r (*ontri*/volum*_tr*ns**r.py) *PIs in Op*nSt**k *in**r *rizzly ****.*.* *n* **rli*r *llows r*mot* *tt**k*rs to **us* * **ni*l o* s*rvi** (r*sour** *onsumption *n* *r*s*) vi* *n XML *ntity

Reasoning

T** vuln*r**ility st*ms *rom ins**ur* XML p*rsin* vi* mini*om.p*rs*Strin* in t** ***kup *n* volum* tr*ns**r *PI **s*ri*liz*rs. T** *it*u* p*t** s*ows r*pl***m*nts o* mini*om.p*rs*Strin* wit* utils.s***_mini*om_p*rs*_strin* in *ot* ***kups.py *n* volu