Vulnerabilities > CVE-2017-1219 - XXE vulnerability in IBM Bigfix Platform

CVSS 5.5 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

SINGLE

Confidentiality impact

PARTIAL

Integrity impact

NONE

Availability impact

PARTIAL

network

low complexity

ibm

CWE-611

nessus

NVD

Published: 2017-07-19

Updated: 2017-07-25

Summary

IBM Tivoli Endpoint Manager is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 123859.

Vulnerable Configurations

Part	Description	Count
Application	Ibm IBM Bigfix Platform 9.1 IBM Bigfix Platform 9.1.3 IBM Bigfix Platform 9.1.4 IBM Bigfix Platform 9.1.5 IBM Bigfix Platform 9.1.6 IBM Bigfix Platform 9.1.7 IBM Bigfix Platform 9.2 IBM Bigfix Platform 9.2.0 IBM Bigfix Platform 9.2.1 IBM Bigfix Platform 9.2.2 IBM Bigfix Platform 9.2.3 IBM Bigfix Platform 9.2.4 IBM Bigfix Platform 9.2.5 IBM Bigfix Platform 9.2.6 IBM Bigfix Platform 9.2.7	15

Common Weakness Enumeration (CWE)

CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')

Nessus

NASL family	Web Servers
NASL id	IBM_TEM_9_2_11_19.NASL
description	According to its self-reported version, the IBM BigFix Platform application running on the remote host is 9.1.x prior to 9.1.1328.0 or 9.2.x prior to 9.2.11.19. It is, therefore, affected by multiple vulnerabilities : - An out-of-bounds pointer arithmetic error exists in zlib within file inftrees.c. An unauthenticated, remote attacker can exploit this, via a specially crafted document, to cause a denial of service condition. (CVE-2016-9840) - An out-of-bounds pointer arithmetic error exists in zlib within file inffast.c. An unauthenticated, remote attacker can exploit this, via a specially crafted document, to cause a denial of service condition. (CVE-2016-9841) - A flaw exists in zlib in the z_streamp() function within file inflate.c that is related to left shifts of negative numbers. An unauthenticated, remote attacker can exploit this, via a specially crafted document, to cause a denial of service condition. (CVE-2016-9842) - An out-of-bounds pointer flaw exists in the crc32_big() function within file crc32.c when handling big-endian pointer calculations. An unauthenticated, remote attacker can exploit this, via a specially crafted document, to cause a denial of service condition. (CVE-2016-9843) - A cross-site scripting (XSS) vulnerability exists in the web-based user interface due to improper validation of user-supplied input before returning it to users. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary script code in a user
last seen	2020-06-01
modified	2020-06-02
plugin id	102019
published	2017-07-27
reporter	This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/102019
title	IBM BigFix Platform 9.1.x < 9.1.1328.0 / 9.2.x < 9.2.11.19 Multiple Vulnerabilities

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Nessus

References