CVE-2013-1915: XEE
First published: Wed Apr 03 2013(Updated: )
It was reported that the XML files parser of ModSecurity, a security module for the Apache HTTP Server, was vulnerable to XML External Entity attacks. A remote attacker could provide a specially-crafted XML file that, when processed might lead to local files disclosure or, potentially, excessive resources (memory, CPU) consumption. References: [1] <a href="https://bugs.gentoo.org/show_bug.cgi?id=464188">https://bugs.gentoo.org/show_bug.cgi?id=464188</a> [2] <a href="https://secunia.com/advisories/52847/">https://secunia.com/advisories/52847/</a> [3] <a href="https://github.com/SpiderLabs/ModSecurity/blob/master/CHANGES">https://github.com/SpiderLabs/ModSecurity/blob/master/CHANGES</a> Relevant upstream patch: [4] <a href="https://github.com/SpiderLabs/ModSecurity/commit/d4d80b38aa85eccb26e3c61b04d16e8ca5de76fe">https://github.com/SpiderLabs/ModSecurity/commit/d4d80b38aa85eccb26e3c61b04d16e8ca5de76fe</a>
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/ModSecurity | <2.7.3 | 2.7.3 |
| Trustwave ModSecurity | <2.7.3 | |
| openSUSE openSUSE | =11.4 | |
| openSUSE openSUSE | =12.2 | |
| openSUSE openSUSE | =12.3 | |
| Fedoraproject Fedora | =17 | |
| Fedoraproject Fedora | =18 | |
| Fedoraproject Fedora | =19 | |
| Debian Debian Linux | =6.0 | |
| Debian Debian Linux | =7.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugs.gentoo.org/show_bug.cgi?id=464188
- https://secunia.com/advisories/52847/
- https://github.com/SpiderLabs/ModSecurity/blob/master/CHANGES
- https://github.com/SpiderLabs/ModSecurity/commit/d4d80b38aa85eccb26e3c61b04d16e8ca5de76fe
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=947845
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=947846
- http://www.openwall.com/lists/oss-security/2013/04/03/3
- https://access.redhat.com/security/cve/CVE-2013-1915
- http://www.openwall.com/lists/oss-security/2013/04/03/7
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=947842#c4
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=733267&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=733267&action=edit
- http://www.openwall.com/lists/oss-security/2013/04/09/9
- https://bugzilla.redhat.com/show_bug.cgi?id=947842
- http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101898.html
- http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101911.html
- http://lists.fedoraproject.org/pipermail/package-announce/2013-April/102616.html
- http://lists.opensuse.org/opensuse-updates/2013-08/msg00020.html
- http://lists.opensuse.org/opensuse-updates/2013-08/msg00025.html
- http://lists.opensuse.org/opensuse-updates/2013-08/msg00031.html
- http://secunia.com/advisories/52847
- http://secunia.com/advisories/52977
- http://www.debian.org/security/2013/dsa-2659
- http://www.mandriva.com/security/advisories?name=MDVSA-2013:156
- http://www.securityfocus.com/bid/58810
- agent/type
- agent/first-publish-date
- agent/references
- agent/weakness
- agent/remedy
- agent/severity
- agent/author
- agent/description
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/tags
- agent/event
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2013-1915
- agent/software-canonical-lookup
- vendor/trustwave
- canonical/trustwave modsecurity
- vendor/opensuse
- canonical/opensuse opensuse
- version/opensuse opensuse/11.4
- version/opensuse opensuse/12.2
- version/opensuse opensuse/12.3
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/17
- version/fedoraproject fedora/18
- version/fedoraproject fedora/19
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/6.0
- version/debian debian linux/7.0
- package-manager/redhat