Vulnerabilities > CVE-2013-4202 - Resource Management Errors vulnerability in multiple products
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
The (1) backup (api/contrib/backups.py) and (2) volume transfer (contrib/volume_transfer.py) APIs in OpenStack Cinder Grizzly 2013.1.3 and earlier allows remote attackers to cause a denial of service (resource consumption and crash) via an XML Entity Expansion (XEE) attack. NOTE: this issue is due to an incomplete fix for CVE-2013-1664.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 11 | |
| OS | 1 |
Common Weakness Enumeration (CWE)
Nessus
| NASL family | Ubuntu Local Security Checks |
| NASL id | UBUNTU_USN-2005-1.NASL |
| description | Rongze Zhu discovered that the Cinder LVM driver did not zero out data when deleting snapshots. This could expose sensitive information to authenticated users when subsequent servers use the volume. (CVE-2013-4183) Grant Murphy discovered that Cinder would allow XML entity processing. A remote unauthenticated attacker could exploit this using the Cinder API to cause a denial of service via resource exhaustion. (CVE-2013-4179, CVE-2013-4202). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. |
| last seen | 2020-06-01 |
| modified | 2020-06-02 |
| plugin id | 70584 |
| published | 2013-10-24 |
| reporter | Ubuntu Security Notice (C) 2013-2019 Canonical, Inc. / NASL script (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. |
| source | https://www.tenable.com/plugins/nessus/70584 |
| title | Ubuntu 13.04 : cinder vulnerabilities (USN-2005-1) |
Redhat
| advisories |
| ||||
| rpms |
|