CVE-2013-1915 — HIGH (7.5) — White Hats Nepal

Q: How severe is CVE-2013-1915?

CVE-2013-1915 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2013-1915?

Check the references section above for vendor advisories and patch information. Affected products include: Trustwave Modsecurity, Opensuse Opensuse, Fedoraproject Fedora, Debian Debian Linux.

Vulnerability Description

ModSecurity before 2.7.3 allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity (XXE) vulnerability.

CVSS Score

7.5

HIGH

AV:N/AC:L/Au:N/C:P/I:P/A:P

Confidentiality

PARTIAL

Integrity

PARTIAL

Availability

PARTIAL

Affected Products

Vendor	Product	Versions
Trustwave	Modsecurity	< 2.7.3
Opensuse	Opensuse	11.4
Fedoraproject	Fedora	17
Debian	Debian Linux	6.0

Related Weaknesses (CWE)

CWE-611

References

http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101898.htmlThird Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101911.htmlThird Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2013-April/102616.htmlThird Party Advisory
http://lists.opensuse.org/opensuse-updates/2013-08/msg00020.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-updates/2013-08/msg00025.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-updates/2013-08/msg00031.htmlMailing ListThird Party Advisory
http://secunia.com/advisories/52847Third Party Advisory
http://secunia.com/advisories/52977Third Party Advisory
http://www.debian.org/security/2013/dsa-2659Third Party Advisory
http://www.mandriva.com/security/advisories?name=MDVSA-2013:156Third Party Advisory
http://www.openwall.com/lists/oss-security/2013/04/03/7Mailing ListPatchThird Party Advisory
http://www.securityfocus.com/bid/58810Third Party AdvisoryVDB Entry
https://bugzilla.redhat.com/show_bug.cgi?id=947842Issue TrackingPatchThird Party Advisory
https://github.com/SpiderLabs/ModSecurity/blob/master/CHANGESRelease NotesThird Party Advisory
https://github.com/SpiderLabs/ModSecurity/commit/d4d80b38aa85eccb26e3c61b04d16e8PatchThird Party Advisory

FAQ

What is CVE-2013-1915?

CVE-2013-1915 is a vulnerability with a CVSS score of 7.5 (HIGH). ModSecurity before 2.7.3 allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via an XML external entity d...

How severe is CVE-2013-1915?

CVE-2013-1915 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2013-1915?

Check the references section above for vendor advisories and patch information. Affected products include: Trustwave Modsecurity, Opensuse Opensuse, Fedoraproject Fedora, Debian Debian Linux.