4

CVE-2014-3087

callService.do in IBM Business Process Manager (BPM) 7.5 through 8.5.5 and WebSphere Lombardi Edition 7.2 through 7.2.0.5 allows remote authenticated users to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
IbmBusiness Process Manager Version7.5.0.0
IbmBusiness Process Manager Version7.5.0.1
IbmBusiness Process Manager Version7.5.1.0
IbmBusiness Process Manager Version7.5.1.1
IbmBusiness Process Manager Version7.5.1.2
IbmBusiness Process Manager Version8.0.0.0
IbmBusiness Process Manager Version8.0.1.0
IbmBusiness Process Manager Version8.0.1.1
IbmBusiness Process Manager Version8.0.1.2
IbmBusiness Process Manager Version8.5.0.0
IbmBusiness Process Manager Version8.5.0.1
IbmBusiness Process Manager Version8.5.5.0
IbmWebsphere Application Server Version7.2 Editionlombardi
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.33% 0.674
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 4 8 2.9
AV:N/AC:L/Au:S/C:P/I:N/A:N
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

http://secunia.com/advisories/60752
http://secunia.com/advisories/60755
http://secunia.com/advisories/60757
http://www-01.ibm.com/support/docview.wss?uid=swg1JR50616
Vendor Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21679726
Patch
Vendor Advisory
http://www.securityfocus.com/bid/69264
https://exchange.xforce.ibmcloud.com/vulnerabilities/94112