Search...

CA Cloud Service Management multiple security vulnerabilities

2014-11-10T00:00:00

ID SECURITYVULNS:VULN:14086
Type securityvulns
Reporter BUGTRAQ
Modified 2014-11-10T00:00:00

Description

Replay-атаки, XSS, XXE, token validation vulnerability.

JSON Vulners Source

Initial Source

{"id": "SECURITYVULNS:VULN:14086", "bulletinFamily": "software", "title": "CA Cloud Service Management multiple security vulnerabilities", "description": "Replay-\u0430\u0442\u0430\u043a\u0438, XSS, XXE, token validation vulnerability.", "published": "2014-11-10T00:00:00", "modified": "2014-11-10T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14086", "reporter": "BUGTRAQ", "references": ["https://vulners.com/securityvulns/securityvulns:doc:31374"], "cvelist": ["CVE-2014-8474", "CVE-2014-8472", "CVE-2014-8473", "CVE-2014-8471"], "type": "securityvulns", "lastseen": "2018-08-31T11:09:58", "history": [], "edition": 1, "hashmap": [{"key": "affectedSoftware", "hash": "fe09bccf9547836b51f989b0053a0593"}, {"key": "bulletinFamily", "hash": "f9fa10ba956cacf91d7878861139efb9"}, {"key": "cvelist", "hash": "b114c53cd25beaf965456b5399cca5aa"}, {"key": "cvss", "hash": "e5d275b3ebd62646b78320753699e02e"}, {"key": "description", "hash": "b41b03a875b29dfb2276b1c59383297e"}, {"key": "href", "hash": "e4ded1ac1524a1a3cf04a225127029cd"}, {"key": "modified", "hash": "44513a88b13ab026467633180dde1273"}, {"key": "published", "hash": "44513a88b13ab026467633180dde1273"}, {"key": "references", "hash": "900fabffbe36f57a80a2882c3b923a09"}, {"key": "reporter", "hash": "2c5cca82a8670da097919f6160833daf"}, {"key": "title", "hash": "0d058a9d9e5ef3bb1ea7178b1f21c87f"}, {"key": "type", "hash": "d54751dd75af2ea0147b462b3e001cd0"}], "hash": "5360964f4f3be5dccb981637177bdb95cebdae90d7e0faad77cef2abd4253794", "viewCount": 2, "enchantments": {"score": {"value": 7.5, "vector": "NONE", "modified": "2018-08-31T11:09:58"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2014-8471", "CVE-2014-8473", "CVE-2014-8474", "CVE-2014-8472"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:31374"]}], "modified": "2018-08-31T11:09:58"}, "vulnersScore": 7.5}, "objectVersion": "1.3", "affectedSoftware": [{"name": "CA Cloud Service Management", "operator": "eq", "version": "2014"}]}

{"cve": [{"lastseen": "2017-09-08T10:27:05", "bulletinFamily": "NVD", "description": "CA Cloud Service Management (CSM) before Summer 2014 allows remote attackers to conduct replay attacks via unspecified vectors.", "modified": "2017-09-07T21:29:23", "published": "2014-11-04T15:55:04", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8471", "id": "CVE-2014-8471", "title": "CVE-2014-8471", "type": "cve", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-09-08T10:27:05", "bulletinFamily": "NVD", "description": "Cross-site request forgery (CSRF) vulnerability in CA Cloud Service Management (CSM) before Summer 2014 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.", "modified": "2017-09-07T21:29:23", "published": "2014-11-04T15:55:04", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8473", "id": "CVE-2014-8473", "title": "CVE-2014-8473", "type": "cve", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-09-08T10:27:05", "bulletinFamily": "NVD", "description": "CA Cloud Service Management (CSM) before Summer 2014 allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.", "modified": "2017-09-07T21:29:23", "published": "2014-11-04T15:55:04", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8474", "id": "CVE-2014-8474", "title": "CVE-2014-8474", "type": "cve", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-09-08T10:27:05", "bulletinFamily": "NVD", "description": "CA Cloud Service Management (CSM) before Summer 2014 does not properly verify authentication tokens from an Identity Provider, which allows user-assisted remote attackers to bypass intended access restrictions via unspecified vectors.", "modified": "2017-09-07T21:29:23", "published": "2014-11-04T15:55:04", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8472", "id": "CVE-2014-8472", "title": "CVE-2014-8472", "type": "cve", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:55", "bulletinFamily": "software", "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\n\r\nCA20141103-01: Security Notice for CA Cloud Service Management\r\n\r\nIssued: November 3, 2014\r\n\r\nCA Technologies Support is alerting customers to four resolved\r\nvulnerabilities with CA Cloud Service Management. Four vulnerabilities\r\nexisted that could potentially allow a remote attacker to access user\r\nsessions, gain sensitive information, or cause a denial of service\r\ncondition. CA Technologies fixed these vulnerabilities in all\r\nproduction environments as part of the Cloud Service Management\r\nSummer 2014 Upgrade.\r\n\r\nThe first vulnerability, CVE-2014-8471, concerned a replay attack. An\r\nattacker would have needed access to a user's environment in order to\r\ncarry out this attack.\r\n\r\nThe second vulnerability, CVE-2014-8472, involved Identity Provider\r\nauthentication token verification. An attacker would have needed to\r\nmanipulate a user in order to exploit this vulnerability.\r\n\r\nThe third vulnerability, CVE-2014-8473, is a cross-site request\r\nforgery vulnerability. An attacker would have needed to manipulate a\r\nuser in order to exploit this vulnerability.\r\n\r\nThe fourth vulnerability, CVE-2014-8474, is an XML external entity\r\nvulnerability that could have allowed an attacker to potentially gain\r\nsensitive information or cause a denial of service condition.\r\n\r\nRisk Rating\r\n\r\nHigh\r\n\r\nNote: These vulnerabilities no longer pose any risk to customers.\r\n\r\nAffected Products\r\n\r\nCA Cloud Service Management Spring release\r\n\r\nUnaffected Products\r\n\r\nCA Cloud Service Management Summer 2014 Upgrade\r\n\r\nSolution\r\n\r\nCA Technologies addressed these vulnerabilities with the Cloud\r\nService Management Summer 2014 Upgrade.\r\n\r\nReferences\r\n\r\nCVE-2014-8471 - CSM replay\r\nCVE-2014-8472 - CSM Identity Provider\r\nCVE-2014-8473 - CSM CSRF\r\nCVE-2014-8474 - CSM XXE\r\n\r\nAcknowledgement\r\n\r\nCVE-2014-8471, CVE-2014-8472, CVE-2014-8473, CVE-2014-8474 -\r\nVladislav Mladenov, Julian Krautwald, Florian Feldmann and Christian\r\nMainka (@CheariX), Security researchers at Horst Gortz Institute for\r\nIT-Security / Chair for Network and Data Security\r\n\r\nChange History\r\n\r\nVersion 1.0: Initial Release\r\n\r\nIf additional information is required, please contact CA Technologies\r\nSupport at https://support.ca.com/\r\n\r\nIf you discover a vulnerability in CA Technologies products, please\r\nreport your findings to the CA Technologies Product Vulnerability\r\nResponse Team at vuln@ca.com\r\n\r\nSecurity Notices\r\nhttps://support.ca.com/irj/portal/anonymous/phpsbpldgpg\r\n\r\nRegards,\r\n\r\nKevin Kotas\r\nVulnerability Response Director\r\nCA Technologies Product Vulnerability Response Team\r\n\r\nCopyright (c) 2014 CA. All Rights Reserved. One CA Plaza, Islandia,\r\nN.Y. 11749. All other trademarks, trade names, service marks, and\r\nlogos referenced herein belong to their respective companies.\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: Encryption Desktop 10.3.2 (Build 15238)\r\nCharset: utf-8\r\n\r\nwsBVAwUBVFu+9pI1FvIeMomJAQE4NQf+ITNLgXAJt0HID9KlyZSFEzG5XRqNL8P9\r\nUlZxKA/IahlLdSvbNZ6UmM1jTtr+hv1HQK87lWFxqARZL7YcpDUeVWbuqT3SVZCy\r\nMT0Kd1MzGPBN6E+wvRHfa0Mp/b3cPbcsVnxRZrUQc+6zM8UtXoqNiUgPsZkfreD4\r\nKnknGnri43G100fqjFEe21ChfBHql/cHFpnz21lvZx4acdcC0WfqvBzXfDKzr/zu\r\nuKtcP4XcoAyk/zbmugPDuk8TgCBtrm69gAiwiiSMh53HsF/K9BGIJwXPjU9okamc\r\n9heqSPk2RnN7WXL+8szadCTCXjRv5opznDTB8raEi96PqBaUOLRYrw==\r\n=rUT8\r\n-----END PGP SIGNATURE-----\r\n\r\n", "modified": "2014-11-10T00:00:00", "published": "2014-11-10T00:00:00", "id": "SECURITYVULNS:DOC:31374", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31374", "title": "CA20141103-01: Security Notice for CA Cloud Service Management", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}