Vulnerability Details : CVE-2014-6212
The Echo API in IBM Emptoris Contract Management 9.5.x before 9.5.0.6 iFix11, 10.0.0.x before 10.0.0.1 iFix12, 10.0.1.x before 10.0.1.5 iFix2, and 10.0.2.x before 10.0.2.2 iFix5; Emptoris Sourcing 9.5 before 9.5.1.3 iFix2, 10.0.0.x before 10.0.0.1 iFix1, 10.0.1.x before 10.0.1.3 iFix1, and 10.0.2.x before 10.0.2.5; and Emptoris Program Management (aka PGM) and Strategic Supply Management (aka SSMP) 10.0.0.x before 10.0.0.3 iFix6, 10.0.1.x before 10.0.1.4 iFix1, and 10.0.2.x before 10.0.2.5 allows remote authenticated users to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
Vulnerability category: XML external entity (XXE) injection
Products affected by CVE-2014-6212
- cpe:2.3:a:ibm:emptoris_sourcing_portfolio:10.0.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:emptoris_sourcing_portfolio:10.0.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:emptoris_sourcing_portfolio:10.0.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:emptoris_sourcing_portfolio:9.5.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:emptoris_sourcing_portfolio:10.0.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:emptoris_sourcing_portfolio:10.0.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:emptoris_sourcing_portfolio:9.5.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:emptoris_sourcing_portfolio:9.5.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:emptoris_sourcing_portfolio:10.0.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:emptoris_sourcing_portfolio:10.0.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:emptoris_sourcing_portfolio:9.5.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:emptoris_sourcing_portfolio:9.5.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:emptoris_sourcing_portfolio:9.5.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:emptoris_sourcing_portfolio:10.0.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:emptoris_sourcing_portfolio:10.0.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:emptoris_sourcing_portfolio:10.0.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:emptoris_sourcing_portfolio:9.5.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:emptoris_contract_management:9.5.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:emptoris_contract_management:9.5.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:emptoris_contract_management:9.5.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:emptoris_contract_management:9.5.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:emptoris_contract_management:9.5.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:emptoris_contract_management:10.0.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:emptoris_contract_management:10.0.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:emptoris_contract_management:10.0.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:emptoris_contract_management:9.5.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:emptoris_contract_management:9.5.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:emptoris_contract_management:10.0.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:emptoris_contract_management:10.0.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:emptoris_contract_management:10.0.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:emptoris_contract_management:10.0.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:emptoris_contract_management:10.0.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:emptoris_contract_management:10.0.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:emptoris_contract_management:10.0.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:emptoris_contract_management:10.0.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:emptoris_program_management:10.0.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:emptoris_program_management:10.0.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:emptoris_program_management:10.0.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:emptoris_program_management:10.0.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:emptoris_program_management:10.0.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:emptoris_program_management:10.0.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:emptoris_program_management:10.0.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:emptoris_program_management:10.0.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:emptoris_program_management:10.0.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:emptoris_program_management:10.0.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:emptoris_program_management:10.0.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:emptoris_program_management:10.0.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:emptoris_program_management:10.0.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:emptoris_program_management:10.0.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:emptoris:strategic_supply_management:10.0.1.1:*:*:*:*:*:*
- cpe:2.3:a:ibm:emptoris:strategic_supply_management:10.0.1.2:*:*:*:*:*:*
- cpe:2.3:a:ibm:emptoris:strategic_supply_management:10.0.1.3:*:*:*:*:*:*
- cpe:2.3:a:ibm:emptoris:strategic_supply_management:10.0.0.1:*:*:*:*:*:*
- cpe:2.3:a:ibm:emptoris:strategic_supply_management:10.0.0.2:*:*:*:*:*:*
- cpe:2.3:a:ibm:emptoris:strategic_supply_management:10.0.2.1:*:*:*:*:*:*
- cpe:2.3:a:ibm:emptoris:strategic_supply_management:10.0.2.2:*:*:*:*:*:*
- cpe:2.3:a:ibm:emptoris:strategic_supply_management:10.0.0.0:*:*:*:*:*:*
- cpe:2.3:a:ibm:emptoris:strategic_supply_management:10.0.1.4:*:*:*:*:*:*
- cpe:2.3:a:ibm:emptoris:strategic_supply_management:10.0.2.0:*:*:*:*:*:*
- cpe:2.3:a:ibm:emptoris:strategic_supply_management:10.0.0.3:*:*:*:*:*:*
- cpe:2.3:a:ibm:emptoris:strategic_supply_management:10.0.1.0:*:*:*:*:*:*
- cpe:2.3:a:ibm:emptoris:strategic_supply_management:10.0.2.3:*:*:*:*:*:*
- cpe:2.3:a:ibm:emptoris:strategic_supply_management:10.0.2.4:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2014-6212
0.11%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 43 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2014-6212
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.0
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:N/A:N |
8.0
|
2.9
|
NIST |
References for CVE-2014-6212
-
http://www-01.ibm.com/support/docview.wss?uid=swg21693069
IBM Security Bulletin: Multiple vulnerabilities related to XML DoS attack IBM Emptoris Strategic Supply Management Suite products (CVE-2014-3529, CVE-2014-3574)Patch;Vendor Advisory
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/98689
IBM Emptoris Strategic Supply Management Platform, IBM Emptoris Program Management, and IBM Emptoris Telecom Expense Management information disclosure CVE-2014-6212 Vulnerability Report
Jump to