CVE-2014-3573

CWE-20 — Improper Input Validation CWE-611 — XML External Entity (XXE)6 documents5 sources

Severity

6.5MEDIUM

EPSS

0.5%

top 36.08%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Enterprise Virtualization Manager

Timeline

PublishedOct 18

Latest updateMay 17

Description

The oVirt Engine backend module, as used in Red Hat Enterprise Virtualization Manager before 3.4.2, uses an "insecure DocumentBuilderFactory," which allows remote attackers to read arbitrary files or possibly have other unspecified impact via a crafted XML/RSDL document, related to an XML External Entity (XXE) issue.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 8.0 | Impact: 6.4

Affected Packages1 packages

▶NVDredhat/enterprise_virtualization_manager3.4.1

🔴Vulnerability Details

GHSA

GHSA-6whg-r3w4-fhjh: The oVirt Engine backend module, as used in Red Hat Enterprise Virtualization Manager before 3↗2022-05-17

▶

CVEList

CVE-2014-3573: The oVirt Engine backend module, as used in Red Hat Enterprise Virtualization Manager before 3↗2014-10-18

▶

📋Vendor Advisories

Red Hat

Engine: XML eXternal Entity (XXE) flaw in backend module↗2014-09-04

▶

💬Community

Bugzilla

CVE-2014-3573 ovirt-engine-backend: oVirt Engine: XML eXternal Entity (XXE) flaw in backend module↗2014-09-07

▶

Bugzilla

CVE-2014-3573 oVirt Engine: XML eXternal Entity (XXE) flaw in backend module↗2014-08-01

▶