Vulnerability Details

ID: CVE-2014-0644

Last Modified: April 17, 2014

Open in new window

Description

EMC Cloud Tiering Appliance (CTA) 10 through SP1 allows remote attackers to read arbitrary files via an api/login request containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, as demonstrated by reading the /etc/shadow file.

CVSS V2

Access Vector: Network

Access Complexity: Low

Authentication: None

Confidentiality Impact: Complete

Integrity Impact: None

Availability Impact: None

Base Score: 7.8

Exploitability Score: 10.0

Impact Score: 6.9

CVSS V2: AV:N/AC:L/Au:N/C:C/I:N/A:N

Specialize CVSS-Score

CWE-ID

CWE-200

Configuration

Condition		Configuration
AND
OR
OR
	cpe:2.3:a:emc:cloud_tiering_appliance_software:10.0:-:::::: Part: a Product: cloud_tiering_appliance_software Update: - Vendor: emc Version: 10.0	Alle Schwachstellen für emc
	cpe:2.3:a:emc:cloud_tiering_appliance_software:10.0:sp1:::::: Part: a Product: cloud_tiering_appliance_software Update: sp1 Vendor: emc Version: 10.0	Alle Schwachstellen für emc
OR
OR
OR	cpe:2.3:h:emc:cloud_tiering_appliance:-:::::::* Part: h Product: cloud_tiering_appliance Vendor: emc Version: -	Alle Schwachstellen für emc

Pre-Condition

                    <?xml version="1.0" ?>
<set operator="and">
    <set operator="and">
        <set operator="or">
            <prop key="application" value="cpe:2.3:a:emc:cloud_tiering_appliance_software:10.0:-:*:*:*:*:*:*"/>
            <prop key="application" value="cpe:2.3:a:emc:cloud_tiering_appliance_software:10.0:sp1:*:*:*:*:*:*"/>
        </set>
        <set operator="or">
            <prop key="device" value="cpe:2.3:h:emc:cloud_tiering_appliance:-:*:*:*:*:*:*:*"/>
        </set>
    </set>
    <prop key="program_influence" value="input"/>
    <prop key="range" value="remote"/>
</set>

Post-Condition

                      <?xml version="1.0" ?>
<set operator="and">
    <set operator="and">
        <set operator="or">
            <prop key="application" value="cpe:2.3:a:emc:cloud_tiering_appliance_software:10.0:-:*:*:*:*:*:*"/>
            <prop key="application" value="cpe:2.3:a:emc:cloud_tiering_appliance_software:10.0:sp1:*:*:*:*:*:*"/>
        </set>
        <set operator="or">
            <prop key="device" value="cpe:2.3:h:emc:cloud_tiering_appliance:-:*:*:*:*:*:*:*"/>
        </set>
    </set>
    <prop key="program_influence" value="input"/>
    <prop key="data" value="any"/>
    <prop key="data_influence" value="read"/>
    <prop key="range" value="remote"/>
</set>