Vulnerability Details : CVE-2014-3087
callService.do in IBM Business Process Manager (BPM) 7.5 through 8.5.5 and WebSphere Lombardi Edition 7.2 through 7.2.0.5 allows remote authenticated users to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
Vulnerability category: XML external entity (XXE) injectionInformation leak
Products affected by CVE-2014-3087
- cpe:2.3:a:ibm:websphere_application_server:7.2:*:lombardi:*:*:*:*:*
- cpe:2.3:a:ibm:business_process_manager:7.5.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:business_process_manager:7.5.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:business_process_manager:8.0.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:business_process_manager:8.0.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:business_process_manager:8.0.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:business_process_manager:7.5.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:business_process_manager:7.5.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:business_process_manager:7.5.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:business_process_manager:8.5.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:business_process_manager:8.5.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:business_process_manager:8.0.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:business_process_manager:8.5.5.0:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2014-3087
0.11%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 44 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2014-3087
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.0
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:N/A:N |
8.0
|
2.9
|
NIST |
CWE ids for CVE-2014-3087
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-3087
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/94112
WebSphere Lombardi Edition External Entity Injection (XXE) CVE-2014-3087 Vulnerability Report
-
http://secunia.com/advisories/60755
Runtime Error
-
http://www-01.ibm.com/support/docview.wss?uid=swg21679726
IBM Security Bulletin: Injection vulnerabilities in WebSphere Lombardi Edition and IBM Business Process Manager (BPM) (CVE-2014-3087)Patch;Vendor Advisory
-
http://www-01.ibm.com/support/docview.wss?uid=swg1JR50616
IBM JR50616: SECURITY APAR CVE-2014-3087 - XML PARSER NOT CONFIGURED TO PREVENT SECURITY VULNERABILITYVendor Advisory
-
http://www.securityfocus.com/bid/69264
Multiple IBM Products CVE-2014-3087 XML External Entity Information Disclosure Vulnerability
-
http://secunia.com/advisories/60752
Sign in
-
http://secunia.com/advisories/60757
Sign in
Jump to