Skip to main content

Rational Rhapsody Design Manager CVE-2018-1456

HIGH
Improper Restriction of XML External Entity Reference (CWE-611)
2018-06-06 psirt@us.ibm.com
7.1
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

1
CVE Published
Jun 06, 2018 - 17:29 nvd
HIGH 7.1

DescriptionNVD

IBM Rhapsody DM 5.0 through 5.0.2 and 6.0 through 6.0.5 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 140091.

AnalysisAI

IBM Rhapsody DM 5.0 through 5.0.2 and 6.0 through 6.0.5 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

Technical ContextAI

This vulnerability is classified as XML External Entity (XXE) (CWE-611), which allows attackers to read arbitrary files or perform SSRF through XML processing. IBM Rhapsody DM 5.0 through 5.0.2 and 6.0 through 6.0.5 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 140091. Affected products include: Ibm Rational Rhapsody Design Manager, Ibm Rational Software Architect Design Manager. Version information: through 5.0.2.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Disable external entity processing in XML parsers, use JSON instead of XML where possible.

CVE-2017-1099 MEDIUM
4.3 Jun 13

IBM Jazz Foundation could expose potentially sensitive information to authenticated users through stack trace error cond

CVE-2021-29844 HIGH
8.8 Oct 27

IBM Jazz Team Server products is vulnerable to server-side request forgery (SSRF). Rated high severity (CVSS 8.8), this

CVE-2016-9698 HIGH
8.1 Jun 08

IBM Rhapsody DM 4.0, 5.0, and 6.0 is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE)

CVE-2016-8974 HIGH
8.1 Feb 23

IBM Rhapsody DM 4.0, 5.0 and 6.0 is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE)

CVE-2016-9707 HIGH
8.1 Mar 31

IBM Jazz Foundation is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when pr

CVE-2019-4252 HIGH
7.5 Jun 27

IBM Rational Collaborative Lifecycle Management 6.0 through 6.0.6.1 could allow a remote attacker to traverse directorie

CVE-2015-1928 MEDIUM
6.8 Jan 02

Jazz Team Server in Jazz Foundation in IBM Rational Collaborative Lifecycle Management (CLM) 3.x and 4.x before 4.0.7 IF

CVE-2018-1492 MEDIUM
6.8 Jul 10

IBM Jazz Foundation products could allow a user with physical access to the system to log in as another user due to the

CVE-2018-1423 MEDIUM
6.5 Jul 10

IBM Jazz Foundation products could disclose sensitive information to an authenticated attacker that could be used in fur

CVE-2014-3037 MEDIUM
6.0 Sep 10

Cross-site request forgery (CSRF) vulnerability in IBM Configuration Management Application (aka VVC) in IBM Rational En

CVE-2018-1694 MEDIUM
5.9 Nov 06

IBM Jazz applications (IBM Rational Collaborative Lifecycle Management 5.0 through 5.02 and 6.0 through 6.0.6, IBM Ratio

CVE-2016-3014 MEDIUM
5.4 Nov 30

Cross-site scripting (XSS) vulnerability in IBM Rational Collaborative Lifecycle Management 4.0 before 4.0.7 iFix11 and

Share

CVE-2018-1456 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy