{"id":"PYSEC-2026-790","summary":"OpenStack Cinder Denial of Service using XML entities ","details":"The (1) backup (api/contrib/backups.py) and (2) volume transfer (contrib/volume_transfer.py) APIs in OpenStack Cinder Grizzly 2013.1.3 and earlier allows remote attackers to cause a denial of service (resource consumption and crash) via an XML Entity Expansion (XEE) attack.  NOTE: this issue is due to an incomplete fix for CVE-2013-1664.","aliases":["CVE-2013-4202","GHSA-mfg4-9xf4-f45q"],"modified":"2026-07-07T11:45:43.151596166Z","published":"2026-07-06T08:03:22.754453Z","references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2013-4202"},{"type":"WEB","url":"https://bugs.launchpad.net/ossa/+bug/1190229"},{"type":"PACKAGE","url":"https://github.com/openstack/cinder"},{"type":"WEB","url":"http://github.com/openstack/cinder/commit/2023eecc4b1a35daf42a64fa01967ed12c7d017b"},{"type":"WEB","url":"http://github.com/openstack/cinder/commit/4ad95dba4fccbbc0df923dea0dc9e5c3ac9f4cc2"},{"type":"WEB","url":"http://rhn.redhat.com/errata/RHSA-2013-1198.html"},{"type":"WEB","url":"http://www.ubuntu.com/usn/USN-2005-1"},{"type":"PACKAGE","url":"https://pypi.org/project/cinder"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-mfg4-9xf4-f45q"}],"affected":[{"package":{"name":"cinder","ecosystem":"PyPI","purl":"pkg:pypi/cinder"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"7.0.0a0"}]}],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/cinder/PYSEC-2026-790.yaml"}}],"schema_version":"1.7.5"}