XML External Entity Injection Vulnerability in IBM Business Process Manager
CVE-2017-1527

8.1HIGH

Key Information:

Vendor
IBM
Status
Business Process Manager Advanced
Vendor
CVE Published:
26 September 2017

Summary

IBM Business Process Manager versions 7.5, 8.0, and 8.5 are susceptible to an XML External Entity Injection (XXE) vulnerability. This security flaw occurs when the application processes XML data, enabling a remote attacker to manipulate the XML content to disclose sensitive information or exhaust server resources. Exploiting this vulnerability can lead to severe data breaches and hinder system performance.

Affected Version(s)

Business Process Manager Advanced 7.5

Business Process Manager Advanced 7.5.0.1

Business Process Manager Advanced 7.5.1

References

https://exchange.xforce.ibmcloud.com/vulnerabilities/130156
x_refsource_MISC
http://www.ibm.com/support/docview.wss?uid=swg22007346
x_refsource_CONFIRM
http://www.securityfocus.com/bid/100959
vdb-entryx_refsource_BID

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.