Vulnerability Details : CVE-2014-3087
callService.do in IBM Business Process Manager (BPM) 7.5 through 8.5.5 and WebSphere Lombardi Edition 7.2 through 7.2.0.5 allows remote authenticated users to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
Vulnerability category: XML external entity (XXE) injectionInformation leak
Exploit prediction scoring system (EPSS) score for CVE-2014-3087
Probability of exploitation activity in the next 30 days: 0.11%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 44 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2014-3087
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
4.0
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:N/A:N |
8.0
|
2.9
|
NIST |
CWE ids for CVE-2014-3087
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-3087
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/94112
WebSphere Lombardi Edition External Entity Injection (XXE) CVE-2014-3087 Vulnerability Report
-
http://secunia.com/advisories/60755
Runtime Error
-
http://www-01.ibm.com/support/docview.wss?uid=swg21679726
IBM Security Bulletin: Injection vulnerabilities in WebSphere Lombardi Edition and IBM Business Process Manager (BPM) (CVE-2014-3087)Patch;Vendor Advisory
-
http://www-01.ibm.com/support/docview.wss?uid=swg1JR50616
IBM JR50616: SECURITY APAR CVE-2014-3087 - XML PARSER NOT CONFIGURED TO PREVENT SECURITY VULNERABILITYVendor Advisory
-
http://www.securityfocus.com/bid/69264
Multiple IBM Products CVE-2014-3087 XML External Entity Information Disclosure Vulnerability
-
http://secunia.com/advisories/60752
Sign in
-
http://secunia.com/advisories/60757
Sign in
Products affected by CVE-2014-3087
- cpe:2.3:a:ibm:websphere_application_server:7.2:*:lombardi:*:*:*:*:*
- cpe:2.3:a:ibm:business_process_manager:7.5.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:business_process_manager:7.5.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:business_process_manager:8.0.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:business_process_manager:8.0.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:business_process_manager:8.0.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:business_process_manager:7.5.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:business_process_manager:7.5.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:business_process_manager:7.5.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:business_process_manager:8.5.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:business_process_manager:8.5.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:business_process_manager:8.0.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:business_process_manager:8.5.5.0:*:*:*:*:*:*:*