Vulnerability Details : CVE-2019-14277
Axway SecureTransport 5.x through 5.3 (or 5.x through 5.5 with certain API configuration) is vulnerable to unauthenticated blind XML injection (and XXE) in the resetPassword functionality via the REST API. This vulnerability can lead to local file disclosure, DoS, or URI invocation attacks (i.e., SSRF with resultant remote code execution). NOTE: The vendor disputes this issues as not being a vulnerability because “All attacks that use external entities are blocked (no external DTD or file inclusions, no SSRF). The impact on confidentiality, integrity and availability is not proved on any version.
Vulnerability category: XML external entity (XXE) injectionServer-side request forgery (SSRF) Execute codeDenial of service
Products affected by CVE-2019-14277
- cpe:2.3:a:axway:securetransport:5.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:axway:securetransport:5.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:axway:securetransport:5.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:axway:securetransport:5.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:axway:securetransport:5.3.6:*:*:*:*:*:*:*
Threat overview for CVE-2019-14277
Top countries where our scanners detected CVE-2019-14277
Top open port discovered on systems with this issue
443
IPs affected by CVE-2019-14277 12
Find out if you* are
affected by CVE-2019-14277!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2019-14277
15.03%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 96 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-14277
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2019-14277
-
The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-14277
-
https://community.axway.com/s/article/SecureTransport-Security-Notice
SecureTransport - Security NoticeVendor Advisory
-
https://www.exploit-db.com/exploits/47150
Axway SecureTransport 5 - Unauthenticated XML InjectionExploit;Third Party Advisory;VDB Entry
-
https://community.axway.com/s/article/SecureTransport-Security-Notice-re-CVE-2019-14277-Unauthenticated-XML-Injection-and-XXE
SecureTransport - Security Notice re: CVE-2019-14277. Unauthenticated XML Injection and XXEVendor Advisory
-
https://zero.lol/2019-07-21-axway-securetransport-xml-injection/
Axway SecureTransport 5.x XML Injection / XXEExploit;Third Party Advisory;URL Repurposed
-
https://gist.githubusercontent.com/zeropwn/59f17727dfaba239b0ace6f33b752974/raw/9b6541a94ac5ec181a88e6c84cb3e3001025b8fd/Axway%2520SecureTransport%25205.x%2520Unauthenticated%2520XXE
Exploit;Third Party Advisory
Jump to