Usage of XML external entities in RSA DM linktype definitions comprises a security risk including disclosure of local files.
An error message displayed when parsing incorrect XML can disclose unnecessary technical details that can be potentially used to construct new attacks.
CVEID**:** CVE-2018-1456 DESCRIPTION**:** IBM Rhapsody DM is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. **CVSS Base Score:**7.1 **CVSS Temporal Score:**See https://exchange.xforce.ibmcloud.com/vulnerabilities/140091 for the current score *CVSS Environmental Score:**Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L)
CVEID: CVE-2018-1587 **DESCRIPTION:**IBM Rhapsody DM could reveal technical error messages to allow an adversary to gain information about the application and database that could be used to conduct further attacks. **CVSS Base Score:**4.3 **CVSS Temporal Score:**See https://exchange.xforce.ibmcloud.com/vulnerabilities/143500 for the current score *CVSS Environmental Score:**Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
IBM Rational Software Architect Design Manager 4.0.0 - 4.0.7
IBM Rational Software Architect Design Manager 5.0.0 - 5.0.2
IBM Rational Software Architect Design Manager 6.0.0 - 6.0.2
For IBM Rational Software Architect Design Manager version 4.0.0 - 4.0.7 contact IBM Support.
For IBM Rational Software Architect Design Manager version 5.0.0 - 5.0.1 upgrade to version 5.0.2 and apply 5.0.2 iFix011d.
For IBM Rational Software Architect Design Manager version 6.0.0 - 6.0.1 upgrade to version 6.0.2 and apply 6.0.2 iFix003d.
None