XXE in Trustwave Modsecurity

CVE-2013-1915

ModSecurity before 2.7.3 allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via an XML external entity declaration in conjunction with an entit…

Vulnerability class: XXE (XML External Entity)

EPSS: 0.048 (89.7th percentile) — read the EPSS interpretation.

Affected products

Trustwave Modsecurity
Debian Debian_linux — versions 6.0, 7.0
Fedoraproject Fedora — versions 17, 18, 19
Opensuse — versions 11.4, 12.2, 12.3
N/a — versions n/a

Weakness classification (CWE)

CWE-611 — Improper Restriction of XML External Entity Reference (XXE)

References

openSUSE-SU-2013:1342 (vendor-advisory, Mailing List, Third Party Advisory, x_refsource_SUSE)
secalert@redhat.com (x_refsource_CONFIRM, Patch, Third Party Advisory)
openSUSE-SU-2013:1331 (vendor-advisory, Mailing List, Third Party Advisory, x_refsource_SUSE)
[oss-security] 20130403 Re: CVE Request -- ModSecurity (X < 2.7.3): Vulnerable to XXE attacks (mailing-list, x_refsource_MLIST, Patch, Mailing List, Third Party Advisory)
58810 (Third Party Advisory, VDB Entry, vdb-entry, x_refsource_BID)
FEDORA-2013-4831 (x_refsource_FEDORA, vendor-advisory, Third Party Advisory)
MDVSA-2013:156 (vendor-advisory, Third Party Advisory, x_refsource_MANDRIVA)
secalert@redhat.com (Patch, Third Party Advisory, x_refsource_MISC, Issue Tracking)
FEDORA-2013-4834 (x_refsource_FEDORA, vendor-advisory, Third Party Advisory)
secalert@redhat.com (x_refsource_CONFIRM, Third Party Advisory, Release Notes)