CVE-2013-6480 — Libcloud does not properly scrub data when destroying a DigitalOcean node

Description

Libcloud 0.12.3 through 0.13.2 does not set the scrub_data parameter for the destroy DigitalOcean API, which allows local users to obtain sensitive information by leveraging a new VM.

How to fix CVE-2013-6480

To remediate CVE-2013-6480, upgrade the affected package to a fixed version below.

PyPI/apache-libcloud—upgrade to 0.13.3 or later
PyPI/apache-libcloud—upgrade to 0.13.3 or later

Is CVE-2013-6480 being exploited?

Low — EPSS is 0.6%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

>= 0.12.3, < 0.13.3
>= 0.12.3, < 0.13.3

References (16)

ADVISORYdigitalocean.com/blog_posts/transparency-regarding-data-security
ADVISORYgithub.com/advisories/GHSA-g892-9h8m-r69r
ADVISORYnvd.nist.gov/vuln/detail/CVE-2013-6480
PATCHgithub.com/apache/libcloud
WEB