Lucene search

DellCVELIST:CVE-2021-21517

HistoryMar 01, 2021 - 8:25 p.m.

CVE-2021-21517

2021-03-0120:25:14

CWE-611

dell

www.cve.org

srs policy manager

xml external entity injection

xxe

vulnerability

misconfigured xml parser

user-supplied dtd input

validation

remote unauthenticated attacker

system files

non-root user

esrs service

exploit

CVSS3

7.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L

AI Score

7.3

Confidence

High

EPSS

0.001

Percentile

50.5%

JSON

SRS Policy Manager 6.X is affected by an XML External Entity Injection (XXE) vulnerability due to a misconfigured XML parser that processes user-supplied DTD input without sufficient validation. A remote unauthenticated attacker can potentially exploit this vulnerability to read system files as a non-root user and may be able to temporarily disrupt the ESRS service.

CNA Affected

[
  {
    "product": "SRS Policy Manager",
    "vendor": "Dell",
    "versions": [
      {
        "lessThan": "7.0",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]

References

www.dell.com/support/kbdoc/en-us/000183576/dsa-2021-045-dell-emc-srs-policy-manager-security-update-for-external-entity-injection-vulnerability

CVSS3

7.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L

AI Score

7.3

Confidence

High

EPSS

0.001

Percentile

50.5%

JSON

Related for CVELIST:CVE-2021-21517