cnvd - cnvd-2018-17421

CNVD-2018-17421

Vulnerability from cnvd - Published: 2018-09-03

Title

CA PPM XML外部实体漏洞

Description

CA PPM是美国CA公司的一套项目和项目组合管理软件。该软件包括任务管理、项目规划、财务报告管理和资源管理等功能。 CA PPM中的XOG功能存在XML外部实体注入漏洞。远程攻击者可利用该漏洞实施服务器端请求伪造攻击。

Severity

高

Patch Name

CA PPM XML外部实体漏洞的补丁

Patch Description

CA PPM是美国CA公司的一套项目和项目组合管理软件。该软件包括任务管理、项目规划、财务报告管理和资源管理等功能。 CA PPM中的XOG功能存在XML外部实体注入漏洞。远程攻击者可利用该漏洞实施服务器端请求伪造攻击。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布漏洞修复程序，请及时关注更新： https://support.ca.com/us/product-content/recommended-reading/security-notices/ca20180829-01--security-notice-for-ca-ppm.html

Reference

https://support.ca.com/us/product-content/recommended-reading/security-notices/ca20180829-01--security-notice-for-ca-ppm.html

Impacted products

Name
['CA PPM <=14.3', 'CA PPM 14.4', 'CA PPM 15.1', 'CA PPM <=15.2 CP5', 'CA PPM <=15.3 CP2']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2018-13826"
    }
  },
  "description": "CA PPM\u662f\u7f8e\u56fdCA\u516c\u53f8\u7684\u4e00\u5957\u9879\u76ee\u548c\u9879\u76ee\u7ec4\u5408\u7ba1\u7406\u8f6f\u4ef6\u3002\u8be5\u8f6f\u4ef6\u5305\u62ec\u4efb\u52a1\u7ba1\u7406\u3001\u9879\u76ee\u89c4\u5212\u3001\u8d22\u52a1\u62a5\u544a\u7ba1\u7406\u548c\u8d44\u6e90\u7ba1\u7406\u7b49\u529f\u80fd\u3002\r\n\r\nCA PPM\u4e2d\u7684XOG\u529f\u80fd\u5b58\u5728XML\u5916\u90e8\u5b9e\u4f53\u6ce8\u5165\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5b9e\u65bd\u670d\u52a1\u5668\u7aef\u8bf7\u6c42\u4f2a\u9020\u653b\u51fb\u3002",
  "discovererName": "unknown",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://support.ca.com/us/product-content/recommended-reading/security-notices/ca20180829-01--security-notice-for-ca-ppm.html",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2018-17421",
  "openTime": "2018-09-03",
  "patchDescription": "CA PPM\u662f\u7f8e\u56fdCA\u516c\u53f8\u7684\u4e00\u5957\u9879\u76ee\u548c\u9879\u76ee\u7ec4\u5408\u7ba1\u7406\u8f6f\u4ef6\u3002\u8be5\u8f6f\u4ef6\u5305\u62ec\u4efb\u52a1\u7ba1\u7406\u3001\u9879\u76ee\u89c4\u5212\u3001\u8d22\u52a1\u62a5\u544a\u7ba1\u7406\u548c\u8d44\u6e90\u7ba1\u7406\u7b49\u529f\u80fd\u3002\r\n\r\nCA PPM\u4e2d\u7684XOG\u529f\u80fd\u5b58\u5728XML\u5916\u90e8\u5b9e\u4f53\u6ce8\u5165\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5b9e\u65bd\u670d\u52a1\u5668\u7aef\u8bf7\u6c42\u4f2a\u9020\u653b\u51fb\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "CA PPM XML\u5916\u90e8\u5b9e\u4f53\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "CA PPM \u003c=14.3",
      "CA PPM 14.4",
      "CA PPM 15.1",
      "CA PPM \u003c=15.2 CP5",
      "CA PPM \u003c=15.3 CP2"
    ]
  },
  "referenceLink": "https://support.ca.com/us/product-content/recommended-reading/security-notices/ca20180829-01--security-notice-for-ca-ppm.html",
  "serverity": "\u9ad8",
  "submitTime": "2018-08-31",
  "title": "CA PPM XML\u5916\u90e8\u5b9e\u4f53\u6f0f\u6d1e"
}

CVE-2018-13826 (GCVE-0-2018-13826)

Vulnerability from cvelistv5 – Published: 2018-08-30 14:00 – Updated: 2024-09-17 04:08

Summary

An XML external entity vulnerability in the XOG functionality, in CA PPM 14.3 and below, 14.4, 15.1, 15.2 CP5 and below, and 15.3 CP2 and below, allows remote attackers to conduct server side request forgery attacks.

Severity ?

No CVSS data available.

CWE

XML External Entity (XXE)

Assigner

References

URL

Tags

	http://www.securityfocus.com/bid/105297	vdb-entryx_refsource_BID
	https://support.ca.com/us/product-content/recomme…	x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	CA Technologies	PPM	Affected: 15.3 and earlier

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T09:14:47.441Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "105297",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/105297"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://support.ca.com/us/product-content/recommended-reading/security-notices/ca20180829-01--security-notice-for-ca-ppm.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "PPM",
          "vendor": "CA Technologies",
          "versions": [
            {
              "status": "affected",
              "version": "15.3 and earlier"
            }
          ]
        }
      ],
      "datePublic": "2018-08-29T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "An XML external entity vulnerability in the XOG functionality, in CA PPM 14.3 and below, 14.4, 15.1, 15.2 CP5 and below, and 15.3 CP2 and below, allows remote attackers to conduct server side request forgery attacks."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "XML External Entity (XXE)",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-09-08T09:57:01",
        "orgId": "e291eae9-7c0a-46ac-ba7d-5251811f8b7f",
        "shortName": "ca"
      },
      "references": [
        {
          "name": "105297",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/105297"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://support.ca.com/us/product-content/recommended-reading/security-notices/ca20180829-01--security-notice-for-ca-ppm.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "vuln@ca.com",
          "DATE_PUBLIC": "2018-08-29T00:00:00",
          "ID": "CVE-2018-13826",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "PPM",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "15.3 and earlier"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "CA Technologies"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An XML external entity vulnerability in the XOG functionality, in CA PPM 14.3 and below, 14.4, 15.1, 15.2 CP5 and below, and 15.3 CP2 and below, allows remote attackers to conduct server side request forgery attacks."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "XML External Entity (XXE)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "105297",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/105297"
            },
            {
              "name": "https://support.ca.com/us/product-content/recommended-reading/security-notices/ca20180829-01--security-notice-for-ca-ppm.html",
              "refsource": "CONFIRM",
              "url": "https://support.ca.com/us/product-content/recommended-reading/security-notices/ca20180829-01--security-notice-for-ca-ppm.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "e291eae9-7c0a-46ac-ba7d-5251811f8b7f",
    "assignerShortName": "ca",
    "cveId": "CVE-2018-13826",
    "datePublished": "2018-08-30T14:00:00Z",
    "dateReserved": "2018-07-10T00:00:00",
    "dateUpdated": "2024-09-17T04:08:43.228Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2018-17421

CVE-2018-13826 (GCVE-0-2018-13826)

Tags

Sightings

Nomenclature