CVE-2017-1103 — XML External Entity (XXE) Injection in IBM Rational Team Concert

CWE-611 — XML External Entity (XXE) Injection5 documents5 sources

Severity

8.1HIGHNVD

EPSS

0.4%

top 40.64%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

IBM Corporation Rational Collaborative Lifecycle Management IBM Rational Quality Manager IBM Rational Team Concert

Timeline

PublishedMay 10

Latest updateMay 17

Description

IBM Team Concert (RTC) is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume all available memory resources. IBM X-Force ID: 120665.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:HExploitability: 2.8 | Impact: 5.2

Affected Packages3 packages

▶NVDibm/rational_team_concert15 versions+14

▶NVDibm/rational_quality_manager14 versions+13

▶CVEListV5ibm_corporation/rational_collaborative_lifecycle_management4.0.7, 5.0, 5.0.1, 5.0.2, 6.0, 6.0.1, 6.0.2, 6.0.3

Patches

Patch: www.ibm.com ↗Patch: www.ibm.com ↗

🔴Vulnerability Details

GHSA

GHSA-prgj-f78p-gh4p: IBM Team Concert (RTC) is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data↗2022-05-17

▶

CVEList

CVE-2017-1103: IBM Team Concert (RTC) is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data↗2017-05-10

▶

💥Exploits & PoCs

Exploit-DB

Oracle VM VirtualBox 5.0.32 r112930 (x64) - Windows Process COM Injection Privilege Escalation↗2017-04-20

▶