IBM MDM InfoSphere Reference Data Management is vulnerable to XML External Entity attack caused by weakly configured XML parser.
CVEID:CVE-2015-1909**
DESCRIPTION: ** IBM InfoSphere Master Data Management Server could allow a remote attacker to obtain sensitive information, caused by an XML External Entity Injection (XXE) error when processing an XML request. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information which could result in gaining WebSphere Commerce administrator access.
CVSS Base Score: 4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/101786> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:N/A:N)
IBM InfoSphere MDM Reference Data Management Versions 11.4, 11.3, 11.0, 10.1.
The recommended solution is to apply the fix as soon as practical. Please see below for information on the fixes available.
Product | VRMF | APAR | Remediation/First Fix |
---|---|---|---|
IBM InfoSphere MDM Reference Data Management |
11.4
| None| 11.4-FP2
IBM InfoSphere MDM Reference Data Management|
11.3
| None| 11.3-FP3
IBM InfoSphere MDM Reference Data Management|
11.0
| None| 11.0-FP3
IBM InfoSphere MDM Reference Data Management|
10.1
| None| 10.1-IF1
None known
Vendor | Product | Version | CPE |
---|---|---|---|
ibm | infosphere_master_data_management | 10.1 | cpe:2.3:a:ibm:infosphere_master_data_management:10.1:*:*:*:*:*:*:* |
ibm | infosphere_master_data_management | 11.0 | cpe:2.3:a:ibm:infosphere_master_data_management:11.0:*:*:*:*:*:*:* |
ibm | infosphere_master_data_management | 11.3 | cpe:2.3:a:ibm:infosphere_master_data_management:11.3:*:*:*:*:*:*:* |
ibm | infosphere_master_data_management | 11.4 | cpe:2.3:a:ibm:infosphere_master_data_management:11.4:*:*:*:*:*:*:* |