Skip to main content

Rational Rhapsody Design Manager CVE-2016-9707

HIGH
Improper Restriction of XML External Entity Reference (CWE-611)
2017-03-31 psirt@us.ibm.com
8.1
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

1
CVE Published
Mar 31, 2017 - 18:59 cve.org
HIGH 8.1

DescriptionCVE.org

IBM Jazz Foundation is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume all available memory resources. IBM Reference #: 2000784.

AnalysisAI

IBM Jazz Foundation is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

Technical ContextAI

This vulnerability is classified as XML External Entity (XXE) (CWE-611), which allows attackers to read arbitrary files or perform SSRF through XML processing. IBM Jazz Foundation is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume all available memory resources. IBM Reference #: 2000784. Affected products include: Ibm Rational Rhapsody Design Manager, Ibm Rational Quality Manager, Ibm Rational Engineering Lifecycle Manager, Ibm Rational Software Architect Design Manager, Ibm Rational Collaborative Lifecycle Management.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Disable external entity processing in XML parsers, use JSON instead of XML where possible.

CVE-2017-1099 MEDIUM
4.3 Jun 13

IBM Jazz Foundation could expose potentially sensitive information to authenticated users through stack trace error cond

CVE-2021-29844 HIGH
8.8 Oct 27

IBM Jazz Team Server products is vulnerable to server-side request forgery (SSRF). Rated high severity (CVSS 8.8), this

CVE-2016-9698 HIGH
8.1 Jun 08

IBM Rhapsody DM 4.0, 5.0, and 6.0 is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE)

CVE-2016-8974 HIGH
8.1 Feb 23

IBM Rhapsody DM 4.0, 5.0 and 6.0 is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE)

CVE-2019-4252 HIGH
7.5 Jun 27

IBM Rational Collaborative Lifecycle Management 6.0 through 6.0.6.1 could allow a remote attacker to traverse directorie

CVE-2018-1456 HIGH
7.1 Jun 06

IBM Rhapsody DM 5.0 through 5.0.2 and 6.0 through 6.0.5 is vulnerable to a XML External Entity Injection (XXE) attack wh

CVE-2015-1928 MEDIUM
6.8 Jan 02

Jazz Team Server in Jazz Foundation in IBM Rational Collaborative Lifecycle Management (CLM) 3.x and 4.x before 4.0.7 IF

CVE-2018-1492 MEDIUM
6.8 Jul 10

IBM Jazz Foundation products could allow a user with physical access to the system to log in as another user due to the

CVE-2018-1423 MEDIUM
6.5 Jul 10

IBM Jazz Foundation products could disclose sensitive information to an authenticated attacker that could be used in fur

CVE-2014-3037 MEDIUM
6.0 Sep 10

Cross-site request forgery (CSRF) vulnerability in IBM Configuration Management Application (aka VVC) in IBM Rational En

CVE-2018-1694 MEDIUM
5.9 Nov 06

IBM Jazz applications (IBM Rational Collaborative Lifecycle Management 5.0 through 5.02 and 6.0 through 6.0.6, IBM Ratio

CVE-2016-3014 MEDIUM
5.4 Nov 30

Cross-site scripting (XSS) vulnerability in IBM Rational Collaborative Lifecycle Management 4.0 before 4.0.7 iFix11 and

Share

CVE-2016-9707 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy