CVE-2021-21517

EPSS 0.44%
Published 01.03.2021 21:15:14
Last modified 21.11.2024 05:48:30
Source security_alert@emc.com
Teams watchlist Login
Open Login

SRS Policy Manager 6.X is affected by an XML External Entity Injection (XXE) vulnerability due to a misconfigured XML parser that processes user-supplied DTD input without sufficient validation. A remote unauthenticated attacker can potentially exploit this vulnerability to read system files as a non-root user and may be able to temporarily disrupt the ESRS service.

Affected products Warnungen 0 Metrics 4 CWE 1 References 4

Data is provided by the National Vulnerability Database (NVD)

Dell ≫ Emc Srs Policy Manager Version6.6

Dell ≫ Emc Srs Policy Manager Version6.8.3

Dell ≫ Emc Srs Policy Manager Version6.9.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.44%	0.602

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.2	3.9	2.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L
nvd@nist.gov	6.4	10	4.9	AV:N/AC:L/Au:N/C:P/I:N/A:P
security_alert@emc.com	7.2	3.9	2.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L

CWE-611 Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

https://www.dell.com/support/kbdoc/en-us/000183576/dsa-2021-045-dell-emc-srs-policy-manager-security-update-for-external-entity-injection-vulnerability

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2021-21517

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-21517

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-21517

EUVD