XML Entity Expansion (XEE) in Django

Description

The XML libraries for Python, as used in OpenStack Keystone Essex, Folsom, and Grizzly; Compute (Nova) Essex and Folsom; Cinder Folsom; Django; and possibly other products allow remote attackers to cause a denial of service (resource consumption and crash) via an XML Entity Expansion (XEE) attack.

Basic information

Type
reviewed
Severity
medium
Advisory on GitHub
Open advisory ↗
Repository advisory
Source code
Browse source ↗
Published (advisory)
2022-05-17 05:09:40 UTC
Updated
2024-05-21 20:12:05 UTC
GitHub reviewed
2024-05-21 20:12:01 UTC
NVD published
2013-04-02

EPSS Score

Score Percentile
3.94% 88.00%

CVSS Scores

No CVSS scores in this advisory.

Identifiers

CWEs

CWE id Name
CWE-611 Improper Restriction of XML External Entity Reference

Credits

  • MarkLee131 (analyst)

Affected packages (2)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
pip Django >= 1.3.0, < 1.3.6 1.3.6
pip Django >= 1.4.0, < 1.4.4 1.4.4

References

cvelogic Threat Intelligence