Moderate severityNVD Advisory· Published Sep 16, 2013· Updated Apr 29, 2026

CVE-2013-4202

Description

The (1) backup (api/contrib/backups.py) and (2) volume transfer (contrib/volume_transfer.py) APIs in OpenStack Cinder Grizzly 2013.1.3 and earlier allows remote attackers to cause a denial of service (resource consumption and crash) via an XML Entity Expansion (XEE) attack. NOTE: this issue is due to an incomplete fix for CVE-2013-1664.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
cinderPyPI	< 7.0.0a0	7.0.0a0

Affected products

OpenStack/Cinder
cpe:2.3:a:openstack:cinder:*:*:*:*:*:*:*:*
Range: >=2013.1,<=2013.1.3
Canonical (company)/Ubuntu Linux
cpe:2.3:o:canonical:ubuntu_linux:13.04:*:*:*:*:*:*:*

Patches

4ad95dba4fcc

Use utils.safe_minidom_parse_string in extensions

https://github.com/openstack/cinderThierry CarrezAug 8, 2013via ghsa

commit

2 files changed · +6 −6

cinder/api/contrib/backups.py+3 −3 modified

@@ -18,7 +18,6 @@
 
 import webob
 from webob import exc
-from xml.dom import minidom
 
 from cinder.api import common
 from cinder.api import extensions
@@ -28,6 +27,7 @@
 from cinder import backup as backupAPI
 from cinder import exception
 from cinder.openstack.common import log as logging
+from cinder import utils
 
 
 LOG = logging.getLogger(__name__)
@@ -82,7 +82,7 @@ def construct(self):
 
 class CreateDeserializer(wsgi.MetadataXMLDeserializer):
     def default(self, string):
-        dom = minidom.parseString(string)
+        dom = utils.safe_minidom_parse_string(string)
         backup = self._extract_backup(dom)
         return {'body': {'backup': backup}}
 
@@ -101,7 +101,7 @@ def _extract_backup(self, node):
 
 class RestoreDeserializer(wsgi.MetadataXMLDeserializer):
     def default(self, string):
-        dom = minidom.parseString(string)
+        dom = utils.safe_minidom_parse_string(string)
         restore = self._extract_restore(dom)
         return {'body': {'restore': restore}}

cinder/api/contrib/volume_transfer.py+3 −3 modified

@@ -17,7 +17,6 @@
 
 import webob
 from webob import exc
-from xml.dom import minidom
 
 from cinder.api import common
 from cinder.api import extensions
@@ -28,6 +27,7 @@
 from cinder import exception
 from cinder.openstack.common import log as logging
 from cinder import transfer as transferAPI
+from cinder import utils
 
 LOG = logging.getLogger(__name__)
 
@@ -62,7 +62,7 @@ def construct(self):
 
 class CreateDeserializer(wsgi.MetadataXMLDeserializer):
     def default(self, string):
-        dom = minidom.parseString(string)
+        dom = utils.safe_minidom_parse_string(string)
         transfer = self._extract_transfer(dom)
         return {'body': {'transfer': transfer}}
 
@@ -80,7 +80,7 @@ def _extract_transfer(self, node):
 
 class AcceptDeserializer(wsgi.MetadataXMLDeserializer):
     def default(self, string):
-        dom = minidom.parseString(string)
+        dom = utils.safe_minidom_parse_string(string)
         transfer = self._extract_transfer(dom)
         return {'body': {'accept': transfer}}

2023eecc4b1a

Use utils.safe_minidom_parse_string in extensions

https://github.com/openstack/cinderJohn GriffithAug 8, 2013via ghsa

commit

1 file changed · +3 −3

cinder/api/contrib/backups.py+3 −3 modified

@@ -17,7 +17,6 @@
 
 import webob
 from webob import exc
-from xml.dom import minidom
 
 from cinder.api import common
 from cinder.api import extensions
@@ -28,6 +27,7 @@
 from cinder import exception
 from cinder import flags
 from cinder.openstack.common import log as logging
+from cinder import utils
 
 FLAGS = flags.FLAGS
 LOG = logging.getLogger(__name__)
@@ -82,7 +82,7 @@ def construct(self):
 
 class CreateDeserializer(wsgi.MetadataXMLDeserializer):
     def default(self, string):
-        dom = minidom.parseString(string)
+        dom = utils.safe_minidom_parse_string(string)
         backup = self._extract_backup(dom)
         return {'body': {'backup': backup}}
 
@@ -101,7 +101,7 @@ def _extract_backup(self, node):
 
 class RestoreDeserializer(wsgi.MetadataXMLDeserializer):
     def default(self, string):
-        dom = minidom.parseString(string)
+        dom = utils.safe_minidom_parse_string(string)
         restore = self._extract_restore(dom)
         return {'body': {'restore': restore}}

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

rhn.redhat.com/errata/RHSA-2013-1198.htmlnvdPatchThird Party AdvisoryWEB
www.ubuntu.com/usn/USN-2005-1nvdThird Party AdvisoryWEB
bugs.launchpad.net/ossa/+bug/1190229nvdThird Party AdvisoryWEB
github.com/advisories/GHSA-mfg4-9xf4-f45qghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2013-4202ghsaADVISORY
github.com/openstack/cinder/commit/2023eecc4b1a35daf42a64fa01967ed12c7d017bghsaWEB
github.com/openstack/cinder/commit/4ad95dba4fccbbc0df923dea0dc9e5c3ac9f4cc2ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000