CVE-2018-2019XML External Entity (XXE) Injection in IBM Security Identity Manager

CWE-611XML External Entity (XXE) Injection42 documents19 sources
Severity
7.1HIGHNVD
EPSS
0.5%
top 33.35%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
IBM Security Identity Manager
Timeline
PublishedJan 18
Latest updateMay 16

Description

IBM Security Identity Manager 6.0.0 Virtual Appliance is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 155265.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:LExploitability: 2.8 | Impact: 4.2

Affected Packages2 packages

NVDibm/security_identity_manager13 versions+12

Patches

Patch: www.ibm.comPatch: www.ibm.com

🔴Vulnerability Details

6
OSV
matrix-synapse vulnerabilities2023-05-16
GHSA
GHSA-xp65-54g6-4jpj: IBM Security Identity Manager 62022-05-13
OSV
salt vulnerabilities2020-08-13
OSV
sqlite3 vulnerabilities2019-12-02
OSV
php5 vulnerabilities2019-05-22

💥Exploits & PoCs

1
Exploit-DB
SureMDM < 2018-11 Patch - Local / Remote File Inclusion2019-02-01

📋Vendor Advisories

2
F5
CVE-2019-6644: Similar to the issue identified in CVE-2018-12120, on versions 142019-09-04
Drupal
Drupal core - Critical - Third Party Libraries - SA-CORE-2019-0012019-01-16

🕵️Threat Intelligence

1
Tenable
ThinkPHP Remote Code Execution Vulnerability Used To Deploy Variety of Malware (CVE-2018-20062)2019-02-07

💬Community

5
Bugzilla
CVE-2019-3832 libsndfile: incomplete fix for CVE-2018-19758 still allow to read beyond buffer limits [fedora-all]2019-02-14
Bugzilla
CVE-2018-18501 Mozilla: Memory safety bugs fixed in Firefox 65 and Firefox ESR 60.52019-01-29
Bugzilla
CVE-2018-20677 bootstrap: XSS in the affix configuration target property2019-01-21
Bugzilla
CVE-2018-10840 kernel: Heap-based buffer overflow in fs/ext4/xattr.c:ext4_xattr_set_entry() with crafted ext4 image2018-05-25
Bugzilla
CVE-2018-11037 exiv2: information leak via a crafted file2018-05-17
CVE-2018-2019 — XML External Entity (XXE) Injection | cvebase