cbcvebase.
CVE-2014-0644
published 2014-04-17

CVE-2014-0644: EMC Cloud Tiering Appliance (CTA) 10 through SP1 allows remote attackers to read arbitrary files via an api/login request containing an XML external entity…

PriorityP267high7.8CVSS 2.0
AVNACLAuNCCINAN
EXPLOIT
EPSS
53.34%
98.9th percentile
EMC Cloud Tiering Appliance (CTA) 10 through SP1 allows remote attackers to read arbitrary files via an api/login request containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, as demonstrated by reading the /etc/shadow file.

Affected

2 ranges
VendorProductVersion rangeFixed in
emccloud_tiering_appliance_software
redhatansible>= 0 < 1.5.51.5.5

Detection & IOCsextracted from sources · hover to see the quote

url/api/login
urlhttps://172.31.16.99/UxFramework/UxFlashApplication.swf
path/UxFramework/UxFlashApplication.swf
port443
  • Detect unauthenticated POST requests to /api/login containing XML external entity (XXE) declarations (DOCTYPE + ENTITY keywords) in the POST body, which is the attack vector for this CVE.
  • Alert on POST /api/login requests with Content-Type: application/x-www-form-urlencoded that contain XML DOCTYPE declarations, as the exploit smuggles XXE payloads in this form-encoded body.
  • Monitor for requests to /api/login referencing /UxFramework/UxFlashApplication.swf as the Referer, which is characteristic of exploitation attempts against EMC CTA.
  • The Metasploit module auxiliary/gather/emc_cta_xxe can be used to reproduce and test for this vulnerability; presence of this module name in logs or IDS signatures is a strong indicator of exploitation attempts.
  • ·The exploit operates without authentication — no credentials are required, making pre-auth detection critical. Standard authenticated-session monitoring will miss this attack.
  • ·The vulnerability affects EMC Cloud Tiering Appliance versions 10 through SP1 only; detection rules should be scoped to those product versions to reduce false positives.
  • ·File reads are performed with root-level permissions, meaning any file on the filesystem (including /etc/shadow) is accessible — detection should not be limited to shadow file access patterns alone.

CVSS provenance

nvdv2.07.8HIGHAV:N/AC:L/Au:N/C:C/I:N/A:N
vendor_redhat5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.