Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBMD20FDABC025C0255EDEC4188AB5195852E310B74EF78EC81574D9FF893B882A6
HistoryJul 10, 2018 - 12:13 a.m.

Security Bulletin: FileNet Content Management Interoperability Services (CMIS), which ships with IBM Content navigator, is affected by the ability to parse untrusted XML input containing a reference to an external entity

2018-07-1000:13:53
www.ibm.com
9

0.002 Low

EPSS

Percentile

56.2%

JSON

Summary

FileNet Content Management Interoperability Services (CMIS), which ships with IBM Content Navigator, is affected by the following vulnerability:
Ability to process untrusted XML input containing a reference to an external entity that is parsed by a weekly configured XML parser.

Vulnerability Details

CVE-ID:CVE-2018-1364
DESCRIPTION: IBM Content Navigator 2.0 and 3.0 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.
CVSS Base Score: 8.2
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/137449 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

IBM Content Navigator 2.0.3.8
IBM Content Navigator 3.0.2
IBM Content Navigator 3.0.3

Remediation/Fixes

Product

| VRMF | Remediation/First Fix
—|—|—
IBM Content Navigator | 2.0.3.8 | Download the fix ICN 2.0.3 FP8 LA 19 from IBM Fix central (https://www.ibm.com/support/fixcentral/ )
IBM Content Navigator | 3.0.2 | Download the fix ICN 3.0.2 LA 06 from IBM Fix central (https://www.ibm.com/support/fixcentral/)
IBM Content Navigator | 3.0.3 | Download the fix CMIS &CS 3.0.3-iFix004 from IBM Fix central (<https://www.ibm.com/support/fixcentral/&gt;)

Workarounds and Mitigations

FileNet Content Management Interoperability Services (CMIS) could allow a remote attacker to pass untrusted XML input containing a reference to an external entity. This attack may lead to the disclosure of confidential data, denial of service, Server Side Request Forgery (SSRF), port scanning from the perspective of the machine where the parser is located, and other system impacts. FileNet Content Management Interoperability Services (CMIS) leverages DocumentBuilderFactory, SchemaFactory parsers have been fixed to make sure the vulnerability is addressed.

Related

ibm 3
nvd 1
cvelist 1
prion 1
cve 1
myhack58 1
ibm
ibm
Security Bulletin: A security vulnerability in FileNet Content Management Interoperability Services (CMIS) might affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) (CVE-2018-1364)
2022-09-14 15:02:20
Security Bulletin: A security vulnerability has been identified in FileNet Content Management Interoperability Services (CMIS) shipped with IBM Case Manager (CVE-2018-1364)
2018-09-04 22:20:11
Security Bulletin: IBM Content Navigator is affected by an XML External Entity Injection (XXE) vulnerability
2018-06-17 12:19:13
nvd
nvd
CVE-2018-1364
2018-01-29 16:29:00
cvelist
cvelist
CVE-2018-1364
2018-01-25 00:00:00
prion
prion
Xxe
2018-01-29 16:29:00
cve
cve
CVE-2018-1364
2018-01-29 16:29:00
myhack58
myhack58
The defect-week session of the fourth term: XML external entity injection-vulnerability warning-the black bar safety net
2018-10-11 00:00:00

0.002 Low

EPSS

Percentile

56.2%

JSON
Related for D20FDABC025C0255EDEC4188AB5195852E310B74EF78EC81574D9FF893B882A6
ibm3nvd1cvelist1prion1cve1myhack581