CVE-2013-5452

IBM FileNet Business Process Framework 4.1.0 allows remote authenticated users to read arbitrary files or send TCP requests to intranet servers via XML data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

CVSS v2.0 3.5 LOW

3.5^/10

CVSS v2.0 : LOW

Vector : AV:N/AC:M/Au:S/C:P/I:N/A:N

Exploitability : 6.8 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
http://www-01.ibm.com/support/docview.wss?uid=swg1PJ40949
http://www-01.ibm.com/support/docview.wss?uid=swg21660343	Vendor Advisory
http://www-304.ibm.com/support/docview.wss?uid=swg21963014
http://www.securitytracker.com/id/1033734
https://exchange.xforce.ibmcloud.com/vulnerabilities/88192

Configurations

Configuration 1 (hide)

cpe:2.3:a:ibm:filenet_business_process_framework:4.1.0:*:*:*:*:*:*:*

History

No history.

Information

Published : 2013-12-19 22:55

Updated : 2024-02-28 12:00

NVD link : CVE-2013-5452

Mitre link : CVE-2013-5452

CVE.ORG link : CVE-2013-5452

JSON object : View

Products Affected

ibm

filenet_business_process_framework

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

{"id": "CVE-2013-5452", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 3.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:P/I:N/A:N", "authentication": "SINGLE", "integrityImpact": "NONE", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 6.8, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2013-12-19T22:55:04.353", "references": [{"url": "http://www-01.ibm.com/support/docview.wss?uid=swg1PJ40949", "source": "psirt@us.ibm.com"}, {"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21660343", "tags": ["Vendor Advisory"], "source": "psirt@us.ibm.com"}, {"url": "http://www-304.ibm.com/support/docview.wss?uid=swg21963014", "source": "psirt@us.ibm.com"}, {"url": "http://www.securitytracker.com/id/1033734", "source": "psirt@us.ibm.com"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/88192", "source": "psirt@us.ibm.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "IBM FileNet Business Process Framework 4.1.0 allows remote authenticated users to read arbitrary files or send TCP requests to intranet servers via XML data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue."}, {"lang": "es", "value": "IBM FileNet Business Process Framework 5.1.0 permite a usuarios autenticados remotamente leer ficheros arbitrarios o mandar peticiones TCP a servidores intranet a trav\u00e9s de datos XML conteniendo una declaraci\u00f3n de entidad externa en conjunci\u00f3n con una referencia a entidad, relacionado con un problema XML External Entity (XXE)"}], "lastModified": "2017-08-29T01:33:47.763", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ibm:filenet_business_process_framework:4.1.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2E67286C-C410-4924-BC1D-C0D992175FAD"}], "operator": "OR"}]}], "sourceIdentifier": "psirt@us.ibm.com"}