There is an information disclosure due to an XML external entity (XXE) vulnerability when using the OpenSAML features in WebSphere Application Server Liberty.
CVEID: CVE-2013-6440**
DESCRIPTION:** OpenSAML could allow a remote authenticated attacker to obtain sensitive information, caused by an error when parsing XML entities. By persuading a victim to open a specially-crafted XML document containing external entity references, an attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/89714 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
This vulnerability affects the following versions and releases of IBM WebSphere Application Server:
The recommended solution is to apply the interim fix or Fix Pack contain APAR PI89102 for each named product as soon as practical.**
For WebSphere Application Server Liberty using the OpenSAML features:**
ยท Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PI89103
--ORโ
ยท Apply Liberty Fix Pack 17.0.0.4 or later.