CVE-2014-4834

Опубликовано: 05 нояб. 2014

Источник: nvd

CVSS2: 4.3

EPSS Низкий

Описание

IBM WebSphere Commerce 6.x through 6.0.0.11 and 7.x through 7.0.0.8 does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption, and application crash) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.

Комментарий

CWE-611: Improper Restriction of XML External Entity Reference ('XXE')

Ссылки

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:ibm:websphere_commerce:6.0.0.0:*:*:*:*:*:*:*

cpe:2.3:a:ibm:websphere_commerce:6.0.0.1:*:*:*:*:*:*:*

cpe:2.3:a:ibm:websphere_commerce:6.0.0.2:*:*:*:*:*:*:*

cpe:2.3:a:ibm:websphere_commerce:6.0.0.3:*:*:*:*:*:*:*

cpe:2.3:a:ibm:websphere_commerce:6.0.0.4:*:*:*:*:*:*:*

cpe:2.3:a:ibm:websphere_commerce:6.0.0.5:*:*:*:*:*:*:*

cpe:2.3:a:ibm:websphere_commerce:6.0.0.6:*:*:*:*:*:*:*

cpe:2.3:a:ibm:websphere_commerce:6.0.0.7:*:*:*:*:*:*:*

cpe:2.3:a:ibm:websphere_commerce:6.0.0.8:*:*:*:*:*:*:*

cpe:2.3:a:ibm:websphere_commerce:6.0.0.9:*:*:*:*:*:*:*

cpe:2.3:a:ibm:websphere_commerce:6.0.0.10:*:*:*:*:*:*:*

cpe:2.3:a:ibm:websphere_commerce:6.0.0.11:*:*:*:*:*:*:*

cpe:2.3:a:ibm:websphere_commerce:7.0:*:*:*:*:*:*:*

cpe:2.3:a:ibm:websphere_commerce:7.0.0.1:*:*:*:*:*:*:*

cpe:2.3:a:ibm:websphere_commerce:7.0.0.2:*:*:*:*:*:*:*

cpe:2.3:a:ibm:websphere_commerce:7.0.0.3:*:*:*:*:*:*:*

cpe:2.3:a:ibm:websphere_commerce:7.0.0.4:*:*:*:*:*:*:*

cpe:2.3:a:ibm:websphere_commerce:7.0.0.5:*:*:*:*:*:*:*

cpe:2.3:a:ibm:websphere_commerce:7.0.0.6:*:*:*:*:*:*:*

cpe:2.3:a:ibm:websphere_commerce:7.0.0.7:*:*:*:*:*:*:*

cpe:2.3:a:ibm:websphere_commerce:7.0.0.8:*:*:*:*:*:*:*

EPSS

Процентиль: 73%

0.00759

Низкий

4.3 Medium

CVSS2

Дефекты

NVD-CWE-Other

Связанные уязвимости

GHSA-mrch-jfhc-g63x

github

больше 3 лет назад