Low severityNVD Advisory· Published Jan 7, 2014· Updated Apr 29, 2026
CVE-2013-6480
CVE-2013-6480
Description
Libcloud 0.12.3 through 0.13.2 does not set the scrub_data parameter for the destroy DigitalOcean API, which allows local users to obtain sensitive information by leveraging a new VM.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
apache-libcloudPyPI | >= 0.12.3, < 0.13.3 | 0.13.3 |
Affected products
5cpe:2.3:a:apache:libcloud:0.12.3:*:*:*:*:*:*:*+ 4 more
- cpe:2.3:a:apache:libcloud:0.12.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:libcloud:0.12.4:*:*:*:*:*:*:*
- cpe:2.3:a:apache:libcloud:0.13.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:libcloud:0.13.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:libcloud:0.13.2:*:*:*:*:*:*:*
Patches
14449e165a007Send 'scrub_data' parameter when destroying a DigitalOcean node.
3 files changed · +11 −3
CHANGES+5 −0 modified@@ -153,6 +153,11 @@ Changes with Apache Libcloud in development (LIBCLOUD-481, GITHUB-215) [Chris DeRamus] + - Send "scrub_data" query parameter when destroying a DigitalOcean node. + This will cause disk to be scrubbed (overwritten with 0's) when destroying + a node. (LIBCLOUD-487) + [Tomaz Muraus] + *) Storage - Allow user to specify 'Content-Disposition' header in the CloudFiles
libcloud/compute/drivers/digitalocean.py+3 −1 modified@@ -122,7 +122,9 @@ def reboot_node(self, node): return res.status == httplib.OK def destroy_node(self, node): - res = self.connection.request('/droplets/%s/destroy/' % (node.id)) + params = {'scrub_data': 'true'} + res = self.connection.request('/droplets/%s/destroy/' % (node.id), + params=params) return res.status == httplib.OK def ex_list_ssh_keys(self):
libcloud/test/compute/test_digitalocean.py+3 −2 modified@@ -25,7 +25,7 @@ from libcloud.common.types import InvalidCredsError from libcloud.compute.drivers.digitalocean import DigitalOceanNodeDriver -from libcloud.test import MockHttp +from libcloud.test import MockHttpTestCase from libcloud.test.file_fixtures import ComputeFileFixtures from libcloud.test.secrets import DIGITAL_OCEAN_PARAMS @@ -103,7 +103,7 @@ def test_ex_destroy_ssh_key(self): self.assertTrue(result) -class DigitalOceanMockHttp(MockHttp): +class DigitalOceanMockHttp(MockHttpTestCase): fixtures = ComputeFileFixtures('digitalocean') def _regions(self, method, url, body, headers): @@ -129,6 +129,7 @@ def _droplets_119461_reboot(self, method, url, body, headers): def _droplets_119461_destroy(self, method, url, body, headers): # destroy_node + self.assertUrlContainsQueryParams(url, {'scrub_data': 'true'}) body = self.fixtures.load('destroy_node.json') return (httplib.OK, body, {}, httplib.responses[httplib.OK])
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
15- libcloud.apache.org/security.htmlnvdVendor AdvisoryWEB
- github.com/advisories/GHSA-g892-9h8m-r69rghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2013-6480ghsaADVISORY
- lists.opensuse.org/opensuse-updates/2014-02/msg00015.htmlnvdWEB
- github.com/apache/libcloud/blob/abba8c1719a8bda6db8efde2d46fd1b423ae4304/CHANGES.rstghsaWEB
- github.com/apache/libcloud/commit/4449e165a00756dc61430e6ad9520f005b045d29ghsaWEB
- github.com/fog/fog/issues/2525nvdWEB
- github.com/pypa/advisory-database/tree/main/vulns/apache-libcloud/PYSEC-2014-97.yamlghsaWEB
- issues.apache.org/jira/browse/LIBCLOUD-487ghsaWEB
- web.archive.org/web/20131230232003/https://digitalocean.com/blog_posts/transparency-regarding-data-securityghsaWEB
- web.archive.org/web/20140129025443/http://www.securityfocus.com/bid/64617ghsaWEB
- web.archive.org/web/20201209074449/http://www.securityfocus.com/archive/1/530624/100/0/threadedghsaWEB
- www.securityfocus.com/archive/1/530624/100/0/threadednvd
- www.securityfocus.com/bid/64617nvd
- digitalocean.com/blog_posts/transparency-regarding-data-securitynvd
News mentions
0No linked articles in our index yet.