Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM76FEB46D6FFA266371B3B335BF3AE177F54AB8043B718365D82E51772FB53AF0
HistoryJun 17, 2018 - 5:28 a.m.

Security Bulletin: IBM Rational Software Architect Design Manager does not handle incoming requests containing XML in a safe manner (CVE-2018-1456, CVE-2018-1587)

2018-06-1705:28:31
www.ibm.com
9

0.001 Low

EPSS

Percentile

45.5%

JSON

Summary

Usage of XML external entities in RSA DM linktype definitions comprises a security risk including disclosure of local files.
An error message displayed when parsing incorrect XML can disclose unnecessary technical details that can be potentially used to construct new attacks.

Vulnerability Details

CVEID**:** CVE-2018-1456 DESCRIPTION**:** IBM Rhapsody DM is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. **CVSS Base Score:**7.1 **CVSS Temporal Score:**See https://exchange.xforce.ibmcloud.com/vulnerabilities/140091 for the current score *CVSS Environmental Score:**Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L)

CVEID: CVE-2018-1587 **DESCRIPTION:**IBM Rhapsody DM could reveal technical error messages to allow an adversary to gain information about the application and database that could be used to conduct further attacks. **CVSS Base Score:**4.3 **CVSS Temporal Score:**See https://exchange.xforce.ibmcloud.com/vulnerabilities/143500 for the current score *CVSS Environmental Score:**Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

IBM Rational Software Architect Design Manager 4.0.0 - 4.0.7
IBM Rational Software Architect Design Manager 5.0.0 - 5.0.2
IBM Rational Software Architect Design Manager 6.0.0 - 6.0.2

Remediation/Fixes

For IBM Rational Software Architect Design Manager version 4.0.0 - 4.0.7 contact IBM Support.

For IBM Rational Software Architect Design Manager version 5.0.0 - 5.0.1 upgrade to version 5.0.2 and apply 5.0.2 iFix011d.

For IBM Rational Software Architect Design Manager version 6.0.0 - 6.0.1 upgrade to version 6.0.2 and apply 6.0.2 iFix003d.

Workarounds and Mitigations

None

Related

cve 2
prion 2
cvelist 2
nvd 2
ibm 2
oraclelinux 1
cve
cve
CVE-2018-1456
2018-06-06 17:29:00
CVE-2018-1587
2018-07-19 14:29:00
prion
prion
Xxe
2018-06-06 17:29:00
Information disclosure
2018-07-19 14:29:00
cvelist
cvelist
CVE-2018-1456
2018-06-06 17:00:00
CVE-2018-1587
2018-07-16 00:00:00
nvd
nvd
CVE-2018-1456
2018-06-06 17:29:00
CVE-2018-1587
2018-07-19 14:29:00
ibm
ibm
Security Bulletin: An undisclosed vulnerability affects IBM Rational products based on IBM Jazz technology
2018-06-17 05:28:31
Security Bulletin: Multiple vulnerabilities affect IBM Rational Design Manager products
2018-07-16 15:33:01
oraclelinux
oraclelinux
libxml2 security update
2020-04-06 00:00:00

0.001 Low

EPSS

Percentile

45.5%

JSON
Related for 76FEB46D6FFA266371B3B335BF3AE177F54AB8043B718365D82E51772FB53AF0
cve2prion2cvelist2nvd2ibm2oraclelinux1