CVE-2014-0644

EMC Cloud Tiering Appliance 10.0 - XML External Entity Arbitrary File Read

Severity Score

7.8

*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

EMC Cloud Tiering Appliance (CTA) 10 through SP1 allows remote attackers to read arbitrary files via an api/login request containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, as demonstrated by reading the /etc/shadow file.

EMC Cloud Tiering Appliance (CTA) 10 hasta SP1 permite a atacantes remotos leer archivos arbitrarios a través de una solicitud api/login que contiene una declaración de entidad externa XML en conjunto con una referencia de entidad, relacionado con un problema de entidad externa XML (XXE), tal y como fue demostrado por la lectura del archivo /etc/shadow.

EMC CTA v10.0 is susceptible to an unauthenticated XXE attack that allows an attacker to read arbitrary files from the file system with the permissions of the root user.

*Credits: N/A

CVSS Scores

NISTv2 7.8

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Complete

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2014-01-02 CVE Reserved
2014-03-31 First Exploit
2014-04-16 CVE Published
2024-08-06 CVE Updated
2024-11-02 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

CAPEC

References (5)

URL	Tag	Source
http://archives.neohapsis.com/archives/bugtraq/2014-04/0094.html	Mailing List
http://seclists.org/fulldisclosure/2014/Mar/426	Mailing List
https://gist.github.com/brandonprry/9895721	X_refsource_misc
-

URL	Date	SRC
https://www.exploit-db.com/exploits/32623	2014-03-31

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Emc Search vendor "Emc"	Cloud Tiering Appliance Software Search vendor "Emc" for product "Cloud Tiering Appliance Software"	10.0 Search vendor "Emc" for product "Cloud Tiering Appliance Software" and version "10.0"	-	Affected	in	Emc Search vendor "Emc"	Cloud Tiering Appliance Search vendor "Emc" for product "Cloud Tiering Appliance"	-	-	Affected
Emc Search vendor "Emc"	Cloud Tiering Appliance Software Search vendor "Emc" for product "Cloud Tiering Appliance Software"	10.0 Search vendor "Emc" for product "Cloud Tiering Appliance Software" and version "10.0"	sp1	Affected	in	Emc Search vendor "Emc"	Cloud Tiering Appliance Search vendor "Emc" for product "Cloud Tiering Appliance"	-	-	Affected