Vulnerability Details : CVE-2014-5392
XML External Entity (XXE) vulnerability in JobScheduler before 1.6.4246 and 7.x before 1.7.4241 allows remote attackers to cause a denial of service and read arbitrary files or directories via a request containing an XML external entity declaration in conjunction with an entity reference.
Vulnerability category: XML external entity (XXE) injectionDenial of service
Exploit prediction scoring system (EPSS) score for CVE-2014-5392
Probability of exploitation activity in the next 30 days: 0.48%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 73 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2014-5392
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
5.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:N/A:P |
8.6
|
4.9
|
NIST |
References for CVE-2014-5392
-
http://www.securityfocus.com/archive/1/533374/100/0/threaded
SecurityFocus
-
https://change.sos-berlin.com/browse/JS-1204
[JS-1204] XML eXternal Entity (XXE) Vulnerability (CVE-2014-5392) - SOS JIRA
-
http://www.sos-berlin.com/modules/news/article.php?storyid=73
403 ForbiddenPatch
-
http://packetstormsecurity.com/files/128181/JobScheduler-XML-eXternal-Entity-Injection.html
JobScheduler XML eXternal Entity Injection ≈ Packet StormPatch
-
http://www.christian-schneider.net/advisories/CVE-2014-5392.txt
Patch
Products affected by CVE-2014-5392
- cpe:2.3:a:sos:jobscheduler:*:*:*:*:*:*:*:*
- cpe:2.3:a:sos:jobscheduler:1.6.4043:*:*:*:*:*:*:*
- cpe:2.3:a:sos:jobscheduler:1.7.4177:*:*:*:*:*:*:*
- cpe:2.3:a:sos:jobscheduler:1.7.4189:*:*:*:*:*:*:*
- cpe:2.3:a:sos:jobscheduler:1.6.4014:*:*:*:*:*:*:*