CVE-2014-4814

2014-10-2819:55:00

CWE-399

[email protected]

web.nvd.nist.gov

ibm

websphere

portal

xml

denial of service

cve-2014-4814

cve-2003-1564

security

6.5 Medium

AI Score

Confidence

High

3.5 Low

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:S/C:N/I:N/A:P

0.003 Low

EPSS

Percentile

71.1%

JSON

IBM WebSphere Portal 6.1.0 through 6.1.0.6 CF27, 6.1.5 through 6.1.5.3 CF27, 7.0 through 7.0.0.2 CF28, 8.0 through 8.0.0.1 CF14, and 8.5.0 before CF03 does not properly detect recursion during entity expansion, which allows remote authenticated users to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.

CPENameOperatorVersion
ibm:websphere_portalibm websphere portaleq7.0.0.1
ibm:websphere_portalibm websphere portaleq8.5.0.0
ibm:websphere_portalibm websphere portaleq8.0.0.1
ibm:websphere_portalibm websphere portaleq7.0.0.0
ibm:websphere_portalibm websphere portaleq8.0.0.0
ibm:websphere_portalibm websphere portaleq6.1.5.1
ibm:websphere_portalibm websphere portaleq6.1.5.0
ibm:websphere_portalibm websphere portaleq6.1.0.5
ibm:websphere_portalibm websphere portaleq6.1.5.3
ibm:websphere_portalibm websphere portaleq6.1.0.2

CPE	Name	Operator	Version
ibm:websphere_portal	ibm websphere portal	eq	7.0.0.1
ibm:websphere_portal	ibm websphere portal	eq	8.5.0.0
ibm:websphere_portal	ibm websphere portal	eq	8.0.0.1
ibm:websphere_portal	ibm websphere portal	eq	7.0.0.0
ibm:websphere_portal	ibm websphere portal	eq	8.0.0.0
ibm:websphere_portal	ibm websphere portal	eq	6.1.5.1
ibm:websphere_portal	ibm websphere portal	eq	6.1.5.0
ibm:websphere_portal	ibm websphere portal	eq	6.1.0.5
ibm:websphere_portal	ibm websphere portal	eq	6.1.5.3
ibm:websphere_portal	ibm websphere portal	eq	6.1.0.2