1. CVE-Search
  2. CVE-2018-1247
ID CVE-2018-1247
Summary RSA Authentication Manager Security Console, version 8.3 and earlier, contains a XML External Entity (XXE) vulnerability. This could potentially allow admin users to cause a denial of service or extract server data via injecting a maliciously crafted DTD in an XML file submitted to the application.
References
Vulnerable Configurations
  • cpe:2.3:a:rsa:authentication_manager:-:*:*:*:*:*:*:*
    cpe:2.3:a:rsa:authentication_manager:-:*:*:*:*:*:*:*
  • cpe:2.3:a:rsa:authentication_manager:6.0:*:*:*:*:*:*:*
    cpe:2.3:a:rsa:authentication_manager:6.0:*:*:*:*:*:*:*
  • cpe:2.3:a:rsa:authentication_manager:6.1:*:*:*:*:*:*:*
    cpe:2.3:a:rsa:authentication_manager:6.1:*:*:*:*:*:*:*
  • cpe:2.3:a:rsa:authentication_manager:7.0:*:*:*:*:*:*:*
    cpe:2.3:a:rsa:authentication_manager:7.0:*:*:*:*:*:*:*
  • cpe:2.3:a:rsa:authentication_manager:7.1:-:*:*:*:*:*:*
    cpe:2.3:a:rsa:authentication_manager:7.1:-:*:*:*:*:*:*
  • cpe:2.3:a:rsa:authentication_manager:7.1:sp2:*:*:*:*:*:*
    cpe:2.3:a:rsa:authentication_manager:7.1:sp2:*:*:*:*:*:*
  • cpe:2.3:a:rsa:authentication_manager:7.1:sp3:*:*:*:*:*:*
    cpe:2.3:a:rsa:authentication_manager:7.1:sp3:*:*:*:*:*:*
  • cpe:2.3:a:rsa:authentication_manager:7.1:sp4:*:*:*:*:*:*
    cpe:2.3:a:rsa:authentication_manager:7.1:sp4:*:*:*:*:*:*
  • cpe:2.3:a:rsa:authentication_manager:8.0:*:*:*:*:*:*:*
    cpe:2.3:a:rsa:authentication_manager:8.0:*:*:*:*:*:*:*
  • cpe:2.3:a:rsa:authentication_manager:8.0:-:*:*:*:*:*:*
    cpe:2.3:a:rsa:authentication_manager:8.0:-:*:*:*:*:*:*
  • cpe:2.3:a:rsa:authentication_manager:8.0:p1:*:*:*:*:*:*
    cpe:2.3:a:rsa:authentication_manager:8.0:p1:*:*:*:*:*:*
  • cpe:2.3:a:rsa:authentication_manager:8.1:-:*:*:*:*:*:*
    cpe:2.3:a:rsa:authentication_manager:8.1:-:*:*:*:*:*:*
  • cpe:2.3:a:rsa:authentication_manager:8.1:sp1:*:*:*:*:*:*
    cpe:2.3:a:rsa:authentication_manager:8.1:sp1:*:*:*:*:*:*
  • cpe:2.3:a:rsa:authentication_manager:8.2:-:*:*:*:*:*:*
    cpe:2.3:a:rsa:authentication_manager:8.2:-:*:*:*:*:*:*
  • cpe:2.3:a:rsa:authentication_manager:8.2:sp1:*:*:*:*:*:*
    cpe:2.3:a:rsa:authentication_manager:8.2:sp1:*:*:*:*:*:*
  • cpe:2.3:a:rsa:authentication_manager:8.3:*:*:*:*:*:*:*
    cpe:2.3:a:rsa:authentication_manager:8.3:*:*:*:*:*:*:*
  • cpe:2.3:a:rsa:authentication_manager:8.3:-:*:*:*:*:*:*
    cpe:2.3:a:rsa:authentication_manager:8.3:-:*:*:*:*:*:*
  • cpe:2.3:a:rsa:authentication_manager:8.3:p1:*:*:*:*:*:*
    cpe:2.3:a:rsa:authentication_manager:8.3:p1:*:*:*:*:*:*
  • cpe:2.3:a:rsa:authentication_manager:8.3:p2:*:*:*:*:*:*
    cpe:2.3:a:rsa:authentication_manager:8.3:p2:*:*:*:*:*:*
CVSS
Base: 5.8 (as of 13-06-2018 - 12:04)
Impact:
Exploitability:
CWE CWE-611
CAPEC
  • XML External Entities Blowup
    This attack takes advantage of the entity replacement property of XML where the value of the replacement is a URI. A well-crafted XML document could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE PARTIAL
cvss-vector via4 AV:N/AC:M/Au:N/C:P/I:N/A:P
refmap via4
bid 104107
exploit-db 44634
fulldisc 20180504 DSA-2018-086: RSA Authentication Manager Multiple Vulnerabilities
sectrack 1040835
Last major update 13-06-2018 - 12:04
Published 08-05-2018 - 13:29
Last modified 13-06-2018 - 12:04
Back to Top