Vulnerability Details : CVE-2015-3269
Apache Flex BlazeDS, as used in flex-messaging-core.jar in Adobe LiveCycle Data Services (LCDS) 3.0.x before 3.0.0.354170, 4.5 before 4.5.1.354169, 4.6.2 before 4.6.2.354169, and 4.7 before 4.7.0.354169 and other products, allows remote attackers to read arbitrary files via an AMF message containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
Vulnerability category: XML external entity (XXE) injectionInformation leak
Products affected by CVE-2015-3269
- cpe:2.3:a:hp:business_service_management:*:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:livecycle_data_services:3.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:livecycle_data_services:4.5:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:livecycle_data_services:4.6:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:livecycle_data_services:4.7:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2015-3269
0.31%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 70 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2015-3269
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST |
CWE ids for CVE-2015-3269
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: nvd@nist.gov (Primary)
References for CVE-2015-3269
-
http://www.vmware.com/security/advisories/VMSA-2015-0008.html
VMSA-2015-0008.2
-
http://www.securityfocus.com/archive/1/536266/100/0/threaded
SecurityFocus
-
http://www.securitytracker.com/id/1033337
Adobe LiveCycle Data Services XML Processing Flaw Lets Remote Users Obtain Potentially Sensitive Information on the Target System - SecurityTracker
-
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05026202
HPSBGN03550 rev.2 - HP Operations Manager i and BSM using Apache Flex BlazeDS, Remote Disclosure of InformationThird Party Advisory
-
https://helpx.adobe.com/security/products/livecycleds/apsb15-20.html
Adobe Security BulletinPatch;Vendor Advisory
-
https://www.zerodayinitiative.com/advisories/ZDI-22-508/
ZDI-22-508 | Zero Day Initiative
-
http://marc.info/?l=bugtraq&m=145706712500978&w=2
'[security bulletin] HPSBGN03550 rev.2 - HP Operations Manager i and BSM using Apache Flex BlazeDS, R' - MARCThird Party Advisory
-
https://helpx.adobe.com/content/help/en/security/products/coldfusion/apsb15-21.html
Adobe Security Bulletin
-
http://www.securityfocus.com/bid/76394
Adobe LiveCycle Data Services CVE-2015-3269 XML External Entity Information Disclosure Vulnerability
Jump to