Main Vulnerability Database SB2018112908

SB2018112908 - XXE attack in IBM WebSphere Application Server

Published: November 29, 2018

Security Bulletin ID SB2018112908

CSH Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) XXE attack (CVE-ID: CVE-2018-1905)

CWE-ID: CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote authenticated attacker to conduct XXE-attack.

The vulnerability exists due to improper handling of XML External Entities (XXEs) when parsing an XML file. A remote attacker can trick the victim into open an XML file that submits malicious input and obtain potentially sensitive information or consume excessive resources to cause the server to crash.

Remediation

Install update from vendor's website.

References

https://www-01.ibm.com/support/docview.wss?uid=ibm10738721