MEDIUM

GHSA-x64m-686f-fmm3

XML External Entity (XXE) in Django

Details

The XML libraries for Python as used in OpenStack Keystone Essex and Folsom, Django, and possibly other products allow remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity (XXE) attack.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / django

Introduced in: 1.3.0 Fixed in: 1.3.6

Fix pip install --upgrade 'django>=1.3.6'

PyPI / django

Introduced in: 1.4.0 Fixed in: 1.4.4

Fix pip install --upgrade 'django>=1.4.4'

References

https://nvd.nist.gov/vuln/detail/CVE-2013-1665 [ADVISORY]
https://github.com/django/django/commit/1c60d07ba23e0350351c278ad28d0bd5aa410b40 [WEB]
https://github.com/django/django/commit/d19a27066b2247102e65412aa66917aff0091112 [WEB]
https://bugs.launchpad.net/keystone/+bug/1100279 [WEB]
http://blog.python.org/2013/02/announcing-defusedxml-fixes-for-xml.html [WEB]
http://bugs.python.org/issue17239 [WEB]
http://lists.openstack.org/pipermail/openstack-announce/2013-February/000078.html [WEB]
http://rhn.redhat.com/errata/RHSA-2013-0657.html [WEB]
http://rhn.redhat.com/errata/RHSA-2013-0658.html [WEB]
http://rhn.redhat.com/errata/RHSA-2013-0670.html [WEB]
http://ubuntu.com/usn/usn-1757-1 [WEB]
http://www.debian.org/security/2013/dsa-2634 [WEB]
http://www.openwall.com/lists/oss-security/2013/02/19/2 [WEB]
http://www.openwall.com/lists/oss-security/2013/02/19/4 [WEB]