1. CVE-Search
  2. CVE-2017-1527
ID CVE-2017-1527
Summary IBM Business Process Manager 7.5, 8.0, and 8.5 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 130156.
References
Vulnerable Configurations
  • cpe:2.3:a:ibm:business_process_manager:7.5.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:ibm:business_process_manager:7.5.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:ibm:business_process_manager:7.5.0.0:*:*:*:advanced:*:*:*
    cpe:2.3:a:ibm:business_process_manager:7.5.0.0:*:*:*:advanced:*:*:*
  • cpe:2.3:a:ibm:business_process_manager:7.5.0.0:*:*:*:express:*:*:*
    cpe:2.3:a:ibm:business_process_manager:7.5.0.0:*:*:*:express:*:*:*
  • cpe:2.3:a:ibm:business_process_manager:7.5.0.0:*:*:*:standard:*:*:*
    cpe:2.3:a:ibm:business_process_manager:7.5.0.0:*:*:*:standard:*:*:*
  • cpe:2.3:a:ibm:business_process_manager:7.5.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:ibm:business_process_manager:7.5.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:ibm:business_process_manager:7.5.0.1:*:*:*:advanced:*:*:*
    cpe:2.3:a:ibm:business_process_manager:7.5.0.1:*:*:*:advanced:*:*:*
  • cpe:2.3:a:ibm:business_process_manager:7.5.0.1:*:*:*:express:*:*:*
    cpe:2.3:a:ibm:business_process_manager:7.5.0.1:*:*:*:express:*:*:*
  • cpe:2.3:a:ibm:business_process_manager:7.5.0.1:*:*:*:standard:*:*:*
    cpe:2.3:a:ibm:business_process_manager:7.5.0.1:*:*:*:standard:*:*:*
  • cpe:2.3:a:ibm:business_process_manager:7.5.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:ibm:business_process_manager:7.5.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:ibm:business_process_manager:7.5.1.0:*:*:*:advanced:*:*:*
    cpe:2.3:a:ibm:business_process_manager:7.5.1.0:*:*:*:advanced:*:*:*
  • cpe:2.3:a:ibm:business_process_manager:7.5.1.0:*:*:*:express:*:*:*
    cpe:2.3:a:ibm:business_process_manager:7.5.1.0:*:*:*:express:*:*:*
  • cpe:2.3:a:ibm:business_process_manager:7.5.1.0:*:*:*:standard:*:*:*
    cpe:2.3:a:ibm:business_process_manager:7.5.1.0:*:*:*:standard:*:*:*
  • cpe:2.3:a:ibm:business_process_manager:7.5.1.1:*:*:*:*:*:*:*
    cpe:2.3:a:ibm:business_process_manager:7.5.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:ibm:business_process_manager:7.5.1.1:*:*:*:advanced:*:*:*
    cpe:2.3:a:ibm:business_process_manager:7.5.1.1:*:*:*:advanced:*:*:*
  • cpe:2.3:a:ibm:business_process_manager:7.5.1.1:*:*:*:express:*:*:*
    cpe:2.3:a:ibm:business_process_manager:7.5.1.1:*:*:*:express:*:*:*
  • cpe:2.3:a:ibm:business_process_manager:7.5.1.1:*:*:*:standard:*:*:*
    cpe:2.3:a:ibm:business_process_manager:7.5.1.1:*:*:*:standard:*:*:*
  • cpe:2.3:a:ibm:business_process_manager:7.5.1.2:*:*:*:*:*:*:*
    cpe:2.3:a:ibm:business_process_manager:7.5.1.2:*:*:*:*:*:*:*
  • cpe:2.3:a:ibm:business_process_manager:7.5.1.2:*:*:*:advanced:*:*:*
    cpe:2.3:a:ibm:business_process_manager:7.5.1.2:*:*:*:advanced:*:*:*
  • cpe:2.3:a:ibm:business_process_manager:7.5.1.2:*:*:*:express:*:*:*
    cpe:2.3:a:ibm:business_process_manager:7.5.1.2:*:*:*:express:*:*:*
  • cpe:2.3:a:ibm:business_process_manager:7.5.1.2:*:*:*:standard:*:*:*
    cpe:2.3:a:ibm:business_process_manager:7.5.1.2:*:*:*:standard:*:*:*
  • cpe:2.3:a:ibm:business_process_manager:8.0.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:ibm:business_process_manager:8.0.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:ibm:business_process_manager:8.0.0.0:*:*:*:advanced:*:*:*
    cpe:2.3:a:ibm:business_process_manager:8.0.0.0:*:*:*:advanced:*:*:*
  • cpe:2.3:a:ibm:business_process_manager:8.0.0.0:*:*:*:express:*:*:*
    cpe:2.3:a:ibm:business_process_manager:8.0.0.0:*:*:*:express:*:*:*
  • cpe:2.3:a:ibm:business_process_manager:8.0.0.0:*:*:*:standard:*:*:*
    cpe:2.3:a:ibm:business_process_manager:8.0.0.0:*:*:*:standard:*:*:*
  • cpe:2.3:a:ibm:business_process_manager:8.0.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:ibm:business_process_manager:8.0.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:ibm:business_process_manager:8.0.1.0:*:*:*:advanced:*:*:*
    cpe:2.3:a:ibm:business_process_manager:8.0.1.0:*:*:*:advanced:*:*:*
  • cpe:2.3:a:ibm:business_process_manager:8.0.1.0:*:*:*:express:*:*:*
    cpe:2.3:a:ibm:business_process_manager:8.0.1.0:*:*:*:express:*:*:*
  • cpe:2.3:a:ibm:business_process_manager:8.0.1.0:*:*:*:standard:*:*:*
    cpe:2.3:a:ibm:business_process_manager:8.0.1.0:*:*:*:standard:*:*:*
  • cpe:2.3:a:ibm:business_process_manager:8.0.1.1:*:*:*:*:*:*:*
    cpe:2.3:a:ibm:business_process_manager:8.0.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:ibm:business_process_manager:8.0.1.1:*:*:*:advanced:*:*:*
    cpe:2.3:a:ibm:business_process_manager:8.0.1.1:*:*:*:advanced:*:*:*
  • cpe:2.3:a:ibm:business_process_manager:8.0.1.1:*:*:*:express:*:*:*
    cpe:2.3:a:ibm:business_process_manager:8.0.1.1:*:*:*:express:*:*:*
  • cpe:2.3:a:ibm:business_process_manager:8.0.1.1:*:*:*:standard:*:*:*
    cpe:2.3:a:ibm:business_process_manager:8.0.1.1:*:*:*:standard:*:*:*
  • cpe:2.3:a:ibm:business_process_manager:8.0.1.2:*:*:*:*:*:*:*
    cpe:2.3:a:ibm:business_process_manager:8.0.1.2:*:*:*:*:*:*:*
  • cpe:2.3:a:ibm:business_process_manager:8.0.1.2:*:*:*:advanced:*:*:*
    cpe:2.3:a:ibm:business_process_manager:8.0.1.2:*:*:*:advanced:*:*:*
  • cpe:2.3:a:ibm:business_process_manager:8.0.1.2:*:*:*:express:*:*:*
    cpe:2.3:a:ibm:business_process_manager:8.0.1.2:*:*:*:express:*:*:*
  • cpe:2.3:a:ibm:business_process_manager:8.0.1.2:*:*:*:standard:*:*:*
    cpe:2.3:a:ibm:business_process_manager:8.0.1.2:*:*:*:standard:*:*:*
  • cpe:2.3:a:ibm:business_process_manager:8.0.1.3:*:*:*:*:*:*:*
    cpe:2.3:a:ibm:business_process_manager:8.0.1.3:*:*:*:*:*:*:*
  • cpe:2.3:a:ibm:business_process_manager:8.0.1.3:*:*:*:advanced:*:*:*
    cpe:2.3:a:ibm:business_process_manager:8.0.1.3:*:*:*:advanced:*:*:*
  • cpe:2.3:a:ibm:business_process_manager:8.0.1.3:*:*:*:express:*:*:*
    cpe:2.3:a:ibm:business_process_manager:8.0.1.3:*:*:*:express:*:*:*
  • cpe:2.3:a:ibm:business_process_manager:8.0.1.3:*:*:*:standard:*:*:*
    cpe:2.3:a:ibm:business_process_manager:8.0.1.3:*:*:*:standard:*:*:*
  • cpe:2.3:a:ibm:business_process_manager:8.5.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:ibm:business_process_manager:8.5.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:ibm:business_process_manager:8.5.0.0:*:*:*:advanced:*:*:*
    cpe:2.3:a:ibm:business_process_manager:8.5.0.0:*:*:*:advanced:*:*:*
  • cpe:2.3:a:ibm:business_process_manager:8.5.0.0:*:*:*:express:*:*:*
    cpe:2.3:a:ibm:business_process_manager:8.5.0.0:*:*:*:express:*:*:*
  • cpe:2.3:a:ibm:business_process_manager:8.5.0.0:*:*:*:standard:*:*:*
    cpe:2.3:a:ibm:business_process_manager:8.5.0.0:*:*:*:standard:*:*:*
  • cpe:2.3:a:ibm:business_process_manager:8.5.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:ibm:business_process_manager:8.5.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:ibm:business_process_manager:8.5.0.1:*:*:*:advanced:*:*:*
    cpe:2.3:a:ibm:business_process_manager:8.5.0.1:*:*:*:advanced:*:*:*
  • cpe:2.3:a:ibm:business_process_manager:8.5.0.1:*:*:*:express:*:*:*
    cpe:2.3:a:ibm:business_process_manager:8.5.0.1:*:*:*:express:*:*:*
  • cpe:2.3:a:ibm:business_process_manager:8.5.0.1:*:*:*:standard:*:*:*
    cpe:2.3:a:ibm:business_process_manager:8.5.0.1:*:*:*:standard:*:*:*
  • cpe:2.3:a:ibm:business_process_manager:8.5.0.2:*:*:*:*:*:*:*
    cpe:2.3:a:ibm:business_process_manager:8.5.0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:ibm:business_process_manager:8.5.0.2:*:*:*:advanced:*:*:*
    cpe:2.3:a:ibm:business_process_manager:8.5.0.2:*:*:*:advanced:*:*:*
  • cpe:2.3:a:ibm:business_process_manager:8.5.0.2:*:*:*:express:*:*:*
    cpe:2.3:a:ibm:business_process_manager:8.5.0.2:*:*:*:express:*:*:*
  • cpe:2.3:a:ibm:business_process_manager:8.5.0.2:*:*:*:standard:*:*:*
    cpe:2.3:a:ibm:business_process_manager:8.5.0.2:*:*:*:standard:*:*:*
  • cpe:2.3:a:ibm:business_process_manager:8.5.5.0:*:*:*:*:*:*:*
    cpe:2.3:a:ibm:business_process_manager:8.5.5.0:*:*:*:*:*:*:*
  • cpe:2.3:a:ibm:business_process_manager:8.5.5.0:*:*:*:advanced:*:*:*
    cpe:2.3:a:ibm:business_process_manager:8.5.5.0:*:*:*:advanced:*:*:*
  • cpe:2.3:a:ibm:business_process_manager:8.5.5.0:*:*:*:express:*:*:*
    cpe:2.3:a:ibm:business_process_manager:8.5.5.0:*:*:*:express:*:*:*
  • cpe:2.3:a:ibm:business_process_manager:8.5.5.0:*:*:*:standard:*:*:*
    cpe:2.3:a:ibm:business_process_manager:8.5.5.0:*:*:*:standard:*:*:*
  • cpe:2.3:a:ibm:business_process_manager:8.5.6.0:*:*:*:*:*:*:*
    cpe:2.3:a:ibm:business_process_manager:8.5.6.0:*:*:*:*:*:*:*
  • cpe:2.3:a:ibm:business_process_manager:8.5.6.0:*:*:*:advanced:*:*:*
    cpe:2.3:a:ibm:business_process_manager:8.5.6.0:*:*:*:advanced:*:*:*
  • cpe:2.3:a:ibm:business_process_manager:8.5.6.0:*:*:*:express:*:*:*
    cpe:2.3:a:ibm:business_process_manager:8.5.6.0:*:*:*:express:*:*:*
  • cpe:2.3:a:ibm:business_process_manager:8.5.6.0:*:*:*:standard:*:*:*
    cpe:2.3:a:ibm:business_process_manager:8.5.6.0:*:*:*:standard:*:*:*
  • cpe:2.3:a:ibm:business_process_manager:8.5.6.1:*:*:*:*:*:*:*
    cpe:2.3:a:ibm:business_process_manager:8.5.6.1:*:*:*:*:*:*:*
  • cpe:2.3:a:ibm:business_process_manager:8.5.6.1:*:*:*:advanced:*:*:*
    cpe:2.3:a:ibm:business_process_manager:8.5.6.1:*:*:*:advanced:*:*:*
  • cpe:2.3:a:ibm:business_process_manager:8.5.6.1:*:*:*:express:*:*:*
    cpe:2.3:a:ibm:business_process_manager:8.5.6.1:*:*:*:express:*:*:*
  • cpe:2.3:a:ibm:business_process_manager:8.5.6.1:*:*:*:standard:*:*:*
    cpe:2.3:a:ibm:business_process_manager:8.5.6.1:*:*:*:standard:*:*:*
  • cpe:2.3:a:ibm:business_process_manager:8.5.6.2:*:*:*:*:*:*:*
    cpe:2.3:a:ibm:business_process_manager:8.5.6.2:*:*:*:*:*:*:*
  • cpe:2.3:a:ibm:business_process_manager:8.5.6.2:*:*:*:advanced:*:*:*
    cpe:2.3:a:ibm:business_process_manager:8.5.6.2:*:*:*:advanced:*:*:*
  • cpe:2.3:a:ibm:business_process_manager:8.5.6.2:*:*:*:express:*:*:*
    cpe:2.3:a:ibm:business_process_manager:8.5.6.2:*:*:*:express:*:*:*
  • cpe:2.3:a:ibm:business_process_manager:8.5.6.2:*:*:*:standard:*:*:*
    cpe:2.3:a:ibm:business_process_manager:8.5.6.2:*:*:*:standard:*:*:*
  • cpe:2.3:a:ibm:business_process_manager:8.5.7.0:*:*:*:*:*:*:*
    cpe:2.3:a:ibm:business_process_manager:8.5.7.0:*:*:*:*:*:*:*
  • cpe:2.3:a:ibm:business_process_manager:8.5.7.0:*:*:*:advanced:*:*:*
    cpe:2.3:a:ibm:business_process_manager:8.5.7.0:*:*:*:advanced:*:*:*
  • cpe:2.3:a:ibm:business_process_manager:8.5.7.0:*:*:*:express:*:*:*
    cpe:2.3:a:ibm:business_process_manager:8.5.7.0:*:*:*:express:*:*:*
  • cpe:2.3:a:ibm:business_process_manager:8.5.7.0:*:*:*:standard:*:*:*
    cpe:2.3:a:ibm:business_process_manager:8.5.7.0:*:*:*:standard:*:*:*
CVSS
Base: 7.5 (as of 29-09-2017 - 18:13)
Impact:
Exploitability:
CWE CWE-611
CAPEC
  • XML External Entities Blowup
    This attack takes advantage of the entity replacement property of XML where the value of the replacement is a URI. A well-crafted XML document could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.
Access
VectorComplexityAuthentication
NETWORK LOW SINGLE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE COMPLETE
cvss-vector via4 AV:N/AC:L/Au:S/C:P/I:N/A:C
refmap via4
bid 100959
confirm http://www.ibm.com/support/docview.wss?uid=swg22007346
misc https://exchange.xforce.ibmcloud.com/vulnerabilities/130156
Last major update 29-09-2017 - 18:13
Published 26-09-2017 - 17:29
Last modified 29-09-2017 - 18:13
Back to Top