Is CVE-2013-0340 being actively exploited?

It is not currently in CISA's KEV catalog. Its EPSS exploitation probability is 19%.

What products does CVE-2013-0340 affect?

Tracked products affected include Python. Check the version you run to see whether it is affected.

How do I fix CVE-2013-0340?

Apply the vendor fix in your normal patch cycle. Upgrade affected products to a fixed version.

CVE-2013-0340

Q: What is CVE-2013-0340?

CVE-2013-0340 is a medium-severity software vulnerability (XML external entity (XXE)) with a CVSS score of 6.8. expat before version 2.4.0 does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP

MEDIUM severity · CVSS 6.8 · XML external entity (XXE)

6.8CVSS MEDIUM

Summary

expat before version 2.4.0 does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that because expat already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed, and each affected application would need its own CVE.

Impact & exploitability

Attack vectorNetwork

Attack complexity—

Privileges required—

User interaction—

Confidentiality impact—

Integrity impact—

Availability impact—

Exploit probability (EPSS)19%

AV:N/AC:M/Au:N/C:P/I:P/A:P

Affected products we track (1)

Python

Recommendation

Apply the vendor fix in your normal patch cycle. Open any affected product above for its exact safe version.

Additional information

NVD record
http://seclists.org/fulldisclosure/2021/Oct/61Advisory
http://seclists.org/fulldisclosure/2021/Oct/62Advisory
http://seclists.org/fulldisclosure/2021/Oct/63Advisory
http://seclists.org/fulldisclosure/2021/Sep/33Advisory
http://seclists.org/fulldisclosure/2021/Sep/34Advisory
http://seclists.org/fulldisclosure/2021/Sep/35Advisory
http://seclists.org/fulldisclosure/2021/Sep/38Advisory
http://openwall.com/lists/oss-security/2013/02/22/3Advisory