cvelistv5 - CVE-2018-6486

CVE-2018-6486 (GCVE-0-2018-6486)

Vulnerability from cvelistv5 – Published: 2018-02-02 14:00 – Updated: 2024-09-16 16:28

Title

MFSBGN03797 rev.1 - Micro Focus Fortify Audit Workbench (AWB) and Micro Focus Fortify Software Security Center (SSC), XML External Entity Injection

Summary

XML External Entity (XXE) vulnerability in Micro Focus Fortify Audit Workbench (AWB) and Micro Focus Fortify Software Security Center (SSC), versions 16.10, 16.20, 17.10. This vulnerability could be exploited to allow a XML External Entity (XXE) injection.

Severity ?

7.3 (High)


                        
                          CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE

XML External Entity (XXE)

Assigner

microfocus

References

URL

Tags

	http://www.securityfocus.com/bid/102902	vdb-entryx_refsource_BID
	https://softwaresupport.softwaregrp.com/document/…	x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	Micro Focus	Fortify Audit Workbench (AWB) and Micro Focus Fortify Software Security Center (SSC)	Affected: 16.10, 16.20, 17.10

Credits

Micro Focus would like to thank Jakub Palaczynski for reporting this issue to security-alert@hpe.com

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T06:01:49.279Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "102902",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/102902"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://softwaresupport.softwaregrp.com/document/-/facetsearch/document/KM03083653"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Fortify Audit Workbench (AWB) and Micro Focus Fortify Software Security Center (SSC)",
          "vendor": "Micro Focus",
          "versions": [
            {
              "status": "affected",
              "version": "16.10, 16.20, 17.10"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Micro Focus would like to thank Jakub Palaczynski for reporting this issue to security-alert@hpe.com"
        }
      ],
      "datePublic": "2018-02-01T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "XML External Entity (XXE) vulnerability in Micro Focus Fortify Audit Workbench (AWB) and Micro Focus Fortify Software Security Center (SSC), versions 16.10, 16.20, 17.10. This vulnerability could be exploited to allow a XML External Entity (XXE) injection."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "XML External Entity (XXE)",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-01-06T16:15:24",
        "orgId": "f81092c5-7f14-476d-80dc-24857f90be84",
        "shortName": "microfocus"
      },
      "references": [
        {
          "name": "102902",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/102902"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://softwaresupport.softwaregrp.com/document/-/facetsearch/document/KM03083653"
        }
      ],
      "title": "MFSBGN03797 rev.1 - Micro Focus Fortify Audit Workbench (AWB) and Micro Focus Fortify Software Security Center (SSC), XML External Entity Injection",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@microfocus.com",
          "DATE_PUBLIC": "2018-02-01T18:58:00.000Z",
          "ID": "CVE-2018-6486",
          "STATE": "PUBLIC",
          "TITLE": "MFSBGN03797 rev.1 - Micro Focus Fortify Audit Workbench (AWB) and Micro Focus Fortify Software Security Center (SSC), XML External Entity Injection"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Fortify Audit Workbench (AWB) and Micro Focus Fortify Software Security Center (SSC)",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "16.10, 16.20, 17.10"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Micro Focus"
              }
            ]
          }
        },
        "credit": [
          "Micro Focus would like to thank Jakub Palaczynski for reporting this issue to security-alert@hpe.com"
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "XML External Entity (XXE) vulnerability in Micro Focus Fortify Audit Workbench (AWB) and Micro Focus Fortify Software Security Center (SSC), versions 16.10, 16.20, 17.10. This vulnerability could be exploited to allow a XML External Entity (XXE) injection."
            }
          ]
        },
        "exploit": "XML External Entity (XXE)",
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.0"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "XML External Entity (XXE)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "102902",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/102902"
            },
            {
              "name": "https://softwaresupport.softwaregrp.com/document/-/facetsearch/document/KM03083653",
              "refsource": "CONFIRM",
              "url": "https://softwaresupport.softwaregrp.com/document/-/facetsearch/document/KM03083653"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f81092c5-7f14-476d-80dc-24857f90be84",
    "assignerShortName": "microfocus",
    "cveId": "CVE-2018-6486",
    "datePublished": "2018-02-02T14:00:00Z",
    "dateReserved": "2018-02-01T00:00:00",
    "dateUpdated": "2024-09-16T16:28:00.284Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:microfocus:fortify_audit_workbench:16.10:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"DCAC9EC0-3C36-465E-9687-B61BB7E5CD2B\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:microfocus:fortify_audit_workbench:16.20:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"ADB15BAB-2A01-4505-B23A-6733FEA144F8\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:microfocus:fortify_audit_workbench:17.10:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"52BE8B0D-5180-4277-9A5B-0DF0C89A9FDB\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:microfocus:fortify_software_security_center:16.10:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"BA657021-3719-4055-BE1F-6402E976D68E\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:microfocus:fortify_software_security_center:16.20:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"4C7D5750-8985-4AE0-B3AE-D31E278027AC\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:microfocus:fortify_software_security_center:17.10:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"9E137D7D-8108-4EE2-9800-EAC66AB82D77\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"XML External Entity (XXE) vulnerability in Micro Focus Fortify Audit Workbench (AWB) and Micro Focus Fortify Software Security Center (SSC), versions 16.10, 16.20, 17.10. This vulnerability could be exploited to allow a XML External Entity (XXE) injection.\"}, {\"lang\": \"es\", \"value\": \"Vulnerabilidad XEE (XML External Entity) en Micro Focus Fortify Audit Workbench (AWB) y Micro Focus Fortify Software Security Center (SSC), versiones 16.10, 16.20 y 17.10. Esta vulnerabilidad podr\\u00eda ser explotada para permitir inyecci\\u00f3n XEE (XML External Entity).\"}]",
      "id": "CVE-2018-6486",
      "lastModified": "2024-11-21T04:10:45.413",
      "metrics": "{\"cvssMetricV30\": [{\"source\": \"security@opentext.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.0\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L\", \"baseScore\": 7.3, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"LOW\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.4}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.0\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:P/I:P/A:P\", \"baseScore\": 7.5, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"HIGH\", \"exploitabilityScore\": 10.0, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2018-02-02T14:29:01.497",
      "references": "[{\"url\": \"http://www.securityfocus.com/bid/102902\", \"source\": \"security@opentext.com\"}, {\"url\": \"https://softwaresupport.softwaregrp.com/document/-/facetsearch/document/KM03083653\", \"source\": \"security@opentext.com\"}, {\"url\": \"http://www.securityfocus.com/bid/102902\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://softwaresupport.softwaregrp.com/document/-/facetsearch/document/KM03083653\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
      "sourceIdentifier": "security@opentext.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-611\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2018-6486\",\"sourceIdentifier\":\"security@opentext.com\",\"published\":\"2018-02-02T14:29:01.497\",\"lastModified\":\"2024-11-21T04:10:45.413\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"XML External Entity (XXE) vulnerability in Micro Focus Fortify Audit Workbench (AWB) and Micro Focus Fortify Software Security Center (SSC), versions 16.10, 16.20, 17.10. This vulnerability could be exploited to allow a XML External Entity (XXE) injection.\"},{\"lang\":\"es\",\"value\":\"Vulnerabilidad XEE (XML External Entity) en Micro Focus Fortify Audit Workbench (AWB) y Micro Focus Fortify Software Security Center (SSC), versiones 16.10, 16.20 y 17.10. Esta vulnerabilidad podr\u00eda ser explotada para permitir inyecci\u00f3n XEE (XML External Entity).\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"security@opentext.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L\",\"baseScore\":7.3,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":3.9,\"impactScore\":3.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:P\",\"baseScore\":7.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-611\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microfocus:fortify_audit_workbench:16.10:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DCAC9EC0-3C36-465E-9687-B61BB7E5CD2B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microfocus:fortify_audit_workbench:16.20:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"ADB15BAB-2A01-4505-B23A-6733FEA144F8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microfocus:fortify_audit_workbench:17.10:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"52BE8B0D-5180-4277-9A5B-0DF0C89A9FDB\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microfocus:fortify_software_security_center:16.10:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"BA657021-3719-4055-BE1F-6402E976D68E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microfocus:fortify_software_security_center:16.20:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4C7D5750-8985-4AE0-B3AE-D31E278027AC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microfocus:fortify_software_security_center:17.10:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9E137D7D-8108-4EE2-9800-EAC66AB82D77\"}]}]}],\"references\":[{\"url\":\"http://www.securityfocus.com/bid/102902\",\"source\":\"security@opentext.com\"},{\"url\":\"https://softwaresupport.softwaregrp.com/document/-/facetsearch/document/KM03083653\",\"source\":\"security@opentext.com\"},{\"url\":\"http://www.securityfocus.com/bid/102902\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://softwaresupport.softwaregrp.com/document/-/facetsearch/document/KM03083653\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}

GHSA-J28W-MFMP-M73W

Vulnerability from github – Published: 2022-05-13 01:32 – Updated: 2022-05-13 01:32

Details

Severity ?

9.8 (Critical)


                  
                    CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2018-6486"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-02-02T14:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "XML External Entity (XXE) vulnerability in Micro Focus Fortify Audit Workbench (AWB) and Micro Focus Fortify Software Security Center (SSC), versions 16.10, 16.20, 17.10. This vulnerability could be exploited to allow a XML External Entity (XXE) injection.",
  "id": "GHSA-j28w-mfmp-m73w",
  "modified": "2022-05-13T01:32:01Z",
  "published": "2022-05-13T01:32:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-6486"
    },
    {
      "type": "WEB",
      "url": "https://softwaresupport.softwaregrp.com/document/-/facetsearch/document/KM03083653"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/102902"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GSD-2018-6486

Vulnerability from gsd - Updated: 2023-12-13 01:22

Details

Aliases

CVE-2018-6486

Aliases

CVE-2018-6486

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2018-6486",
    "description": "XML External Entity (XXE) vulnerability in Micro Focus Fortify Audit Workbench (AWB) and Micro Focus Fortify Software Security Center (SSC), versions 16.10, 16.20, 17.10. This vulnerability could be exploited to allow a XML External Entity (XXE) injection.",
    "id": "GSD-2018-6486"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2018-6486"
      ],
      "details": "XML External Entity (XXE) vulnerability in Micro Focus Fortify Audit Workbench (AWB) and Micro Focus Fortify Software Security Center (SSC), versions 16.10, 16.20, 17.10. This vulnerability could be exploited to allow a XML External Entity (XXE) injection.",
      "id": "GSD-2018-6486",
      "modified": "2023-12-13T01:22:35.652758Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@microfocus.com",
        "DATE_PUBLIC": "2018-02-01T18:58:00.000Z",
        "ID": "CVE-2018-6486",
        "STATE": "PUBLIC",
        "TITLE": "MFSBGN03797 rev.1 - Micro Focus Fortify Audit Workbench (AWB) and Micro Focus Fortify Software Security Center (SSC), XML External Entity Injection"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Fortify Audit Workbench (AWB) and Micro Focus Fortify Software Security Center (SSC)",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "16.10, 16.20, 17.10"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Micro Focus"
            }
          ]
        }
      },
      "credit": [
        "Micro Focus would like to thank Jakub Palaczynski for reporting this issue to security-alert@hpe.com"
      ],
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "XML External Entity (XXE) vulnerability in Micro Focus Fortify Audit Workbench (AWB) and Micro Focus Fortify Software Security Center (SSC), versions 16.10, 16.20, 17.10. This vulnerability could be exploited to allow a XML External Entity (XXE) injection."
          }
        ]
      },
      "exploit": "XML External Entity (XXE)",
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 7.3,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
          "version": "3.0"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "XML External Entity (XXE)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "102902",
            "refsource": "BID",
            "url": "http://www.securityfocus.com/bid/102902"
          },
          {
            "name": "https://softwaresupport.softwaregrp.com/document/-/facetsearch/document/KM03083653",
            "refsource": "CONFIRM",
            "url": "https://softwaresupport.softwaregrp.com/document/-/facetsearch/document/KM03083653"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:microfocus:fortify_audit_workbench:16.10:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:microfocus:fortify_audit_workbench:16.20:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:microfocus:fortify_audit_workbench:17.10:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:microfocus:fortify_software_security_center:16.10:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:microfocus:fortify_software_security_center:17.10:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:microfocus:fortify_software_security_center:16.20:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security@suse.com",
          "ID": "CVE-2018-6486"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "XML External Entity (XXE) vulnerability in Micro Focus Fortify Audit Workbench (AWB) and Micro Focus Fortify Software Security Center (SSC), versions 16.10, 16.20, 17.10. This vulnerability could be exploited to allow a XML External Entity (XXE) injection."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-611"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://softwaresupport.softwaregrp.com/document/-/facetsearch/document/KM03083653",
              "refsource": "CONFIRM",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://softwaresupport.softwaregrp.com/document/-/facetsearch/document/KM03083653"
            },
            {
              "name": "102902",
              "refsource": "BID",
              "tags": [
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://www.securityfocus.com/bid/102902"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "HIGH",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2019-10-09T23:41Z",
      "publishedDate": "2018-02-02T14:29Z"
    }
  }
}

CNVD-2018-04838

Vulnerability from cnvd - Published: 2018-03-12

Title

Micro Focus Fortify Audit Workbench和Fortify Software Security Center XML外部实体注入漏洞

Description

Micro Focus Fortify Audit Workbench（AWB）和Micro Focus Fortify Software Security Center（SSC）都是英国Micro Focus公司的产品。Micro Focus Fortify Audit Workbench（AWB）是一套软件安全审计平台。Micro Focus Fortify Software Security Center（SSC）是一套软件安全管理平台。 Micro Focus Fortify AWB和Micro Focus Fortify SSC中存在XML外部实体注入漏洞。攻击者可利用该漏洞获取敏感信息的访问权限或造成拒绝服务。

Severity

高

Patch Name

Micro Focus Fortify Audit Workbench和Fortify Software Security Center XML外部实体注入漏洞的补丁

Patch Description

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://softwaresupport.softwaregrp.com/document/-/facetsearch/document/KM03083653

Reference

https://softwaresupport.softwaregrp.com/document/-/facetsearch/document/KM03083653

Impacted products

Name
['Micro Focus Fortify Audit Workbench 16.10', 'Micro Focus Fortify Audit Workbench 16.20', 'Micro Focus Fortify Audit Workbench 17.10', 'Micro Focus Fortify Software Security Center 16.10', 'Micro Focus Fortify Software Security Center 16.20', 'Micro Focus Fortify Software Security Center 17.10']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2018-6486"
    }
  },
  "description": "Micro Focus Fortify Audit Workbench\uff08AWB\uff09\u548cMicro Focus Fortify Software Security Center\uff08SSC\uff09\u90fd\u662f\u82f1\u56fdMicro Focus\u516c\u53f8\u7684\u4ea7\u54c1\u3002Micro Focus Fortify Audit Workbench\uff08AWB\uff09\u662f\u4e00\u5957\u8f6f\u4ef6\u5b89\u5168\u5ba1\u8ba1\u5e73\u53f0\u3002Micro Focus Fortify Software Security Center\uff08SSC\uff09\u662f\u4e00\u5957\u8f6f\u4ef6\u5b89\u5168\u7ba1\u7406\u5e73\u53f0\u3002\r\n\r\nMicro Focus Fortify AWB\u548cMicro Focus Fortify SSC\u4e2d\u5b58\u5728XML\u5916\u90e8\u5b9e\u4f53\u6ce8\u5165\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u654f\u611f\u4fe1\u606f\u7684\u8bbf\u95ee\u6743\u9650\u6216\u9020\u6210\u62d2\u7edd\u670d\u52a1\u3002",
  "discovererName": "unknwon",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://softwaresupport.softwaregrp.com/document/-/facetsearch/document/KM03083653",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2018-04838",
  "openTime": "2018-03-12",
  "patchDescription": "Micro Focus Fortify Audit Workbench\uff08AWB\uff09\u548cMicro Focus Fortify Software Security Center\uff08SSC\uff09\u90fd\u662f\u82f1\u56fdMicro Focus\u516c\u53f8\u7684\u4ea7\u54c1\u3002Micro Focus Fortify Audit Workbench\uff08AWB\uff09\u662f\u4e00\u5957\u8f6f\u4ef6\u5b89\u5168\u5ba1\u8ba1\u5e73\u53f0\u3002Micro Focus Fortify Software Security Center\uff08SSC\uff09\u662f\u4e00\u5957\u8f6f\u4ef6\u5b89\u5168\u7ba1\u7406\u5e73\u53f0\u3002\r\n\r\nMicro Focus Fortify AWB\u548cMicro Focus Fortify SSC\u4e2d\u5b58\u5728XML\u5916\u90e8\u5b9e\u4f53\u6ce8\u5165\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u654f\u611f\u4fe1\u606f\u7684\u8bbf\u95ee\u6743\u9650\u6216\u9020\u6210\u62d2\u7edd\u670d\u52a1\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Micro Focus Fortify Audit Workbench\u548cFortify Software Security Center XML\u5916\u90e8\u5b9e\u4f53\u6ce8\u5165\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Micro Focus Fortify Audit Workbench 16.10",
      "Micro Focus Fortify Audit Workbench 16.20",
      "Micro Focus Fortify Audit Workbench 17.10",
      "Micro Focus Fortify Software Security Center 16.10",
      "Micro Focus Fortify Software Security Center 16.20",
      "Micro Focus Fortify Software Security Center 17.10"
    ]
  },
  "referenceLink": "https://softwaresupport.softwaregrp.com/document/-/facetsearch/document/KM03083653",
  "serverity": "\u9ad8",
  "submitTime": "2018-02-05",
  "title": "Micro Focus Fortify Audit Workbench\u548cFortify Software Security Center XML\u5916\u90e8\u5b9e\u4f53\u6ce8\u5165\u6f0f\u6d1e"
}

FKIE_CVE-2018-6486

Vulnerability from fkie_nvd - Published: 2018-02-02 14:29 - Updated: 2024-11-21 04:10

Severity ?

7.3 (High) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
9.8 (Critical) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

References

	URL	Tags
	security@opentext.com	http://www.securityfocus.com/bid/102902
	security@opentext.com	https://softwaresupport.softwaregrp.com/document/-/facetsearch/document/KM03083653
	af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/102902
	af854a3a-2127-422b-91ae-364da2661108	https://softwaresupport.softwaregrp.com/document/-/facetsearch/document/KM03083653

Impacted products

Vendor	Product	Version
microfocus	fortify_audit_workbench	16.10
microfocus	fortify_audit_workbench	16.20
microfocus	fortify_audit_workbench	17.10
microfocus	fortify_software_security_center	16.10
microfocus	fortify_software_security_center	16.20
microfocus	fortify_software_security_center	17.10

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:microfocus:fortify_audit_workbench:16.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "DCAC9EC0-3C36-465E-9687-B61BB7E5CD2B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:microfocus:fortify_audit_workbench:16.20:*:*:*:*:*:*:*",
              "matchCriteriaId": "ADB15BAB-2A01-4505-B23A-6733FEA144F8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:microfocus:fortify_audit_workbench:17.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "52BE8B0D-5180-4277-9A5B-0DF0C89A9FDB",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:microfocus:fortify_software_security_center:16.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "BA657021-3719-4055-BE1F-6402E976D68E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:microfocus:fortify_software_security_center:16.20:*:*:*:*:*:*:*",
              "matchCriteriaId": "4C7D5750-8985-4AE0-B3AE-D31E278027AC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:microfocus:fortify_software_security_center:17.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "9E137D7D-8108-4EE2-9800-EAC66AB82D77",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "XML External Entity (XXE) vulnerability in Micro Focus Fortify Audit Workbench (AWB) and Micro Focus Fortify Software Security Center (SSC), versions 16.10, 16.20, 17.10. This vulnerability could be exploited to allow a XML External Entity (XXE) injection."
    },
    {
      "lang": "es",
      "value": "Vulnerabilidad XEE (XML External Entity) en Micro Focus Fortify Audit Workbench (AWB) y Micro Focus Fortify Software Security Center (SSC), versiones 16.10, 16.20 y 17.10. Esta vulnerabilidad podr\u00eda ser explotada para permitir inyecci\u00f3n XEE (XML External Entity)."
    }
  ],
  "id": "CVE-2018-6486",
  "lastModified": "2024-11-21T04:10:45.413",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 7.5,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 7.3,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
          "version": "3.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.4,
        "source": "security@opentext.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2018-02-02T14:29:01.497",
  "references": [
    {
      "source": "security@opentext.com",
      "url": "http://www.securityfocus.com/bid/102902"
    },
    {
      "source": "security@opentext.com",
      "url": "https://softwaresupport.softwaregrp.com/document/-/facetsearch/document/KM03083653"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securityfocus.com/bid/102902"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://softwaresupport.softwaregrp.com/document/-/facetsearch/document/KM03083653"
    }
  ],
  "sourceIdentifier": "security@opentext.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-611"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2018-6486 (GCVE-0-2018-6486)

GHSA-J28W-MFMP-M73W

GSD-2018-6486

CNVD-2018-04838

FKIE_CVE-2018-6486

Tags

Sightings

Nomenclature