CVE-2020-17408XML External Entity (XXE) Injection in Expresscluster

CWE-611XML External Entity (XXE) Injection3 documents3 sources
Severity
7.5HIGHNVD
EPSS
14.8%
top 5.48%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
NEC ExpressclusterNEC Expresscluster X
Timeline
PublishedSep 10
Latest updateMay 24

Description

This vulnerability allows remote attackers to disclose sensitive information on affected installations of NEC ExpressCluster 4.1. Authentication is not required to exploit this vulnerability. The specific flaw exists within the clpwebmc executable. Due to the improper restriction of XML External Entity (XXE) references, a specially-crafted document specifying a URI causes the XML parser to access the URI and embed the contents back into the XML document for further processing. An attacker can le

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

CVEListV5nec/expresscluster4.1
NVDnec/expresscluster_x4.1, 4.2+1

Patches

Patch: www.support.nec.co.jpPatch: www.support.nec.co.jp

🔴Vulnerability Details

2
GHSA
GHSA-4ffh-54c8-m8qq: This vulnerability allows remote attackers to disclose sensitive information on affected installations of NEC ExpressCluster 42022-05-24
CVEList
CVE-2020-17408: This vulnerability allows remote attackers to disclose sensitive information on affected installations of NEC ExpressCluster 42020-09-10
CVE-2020-17408 — XML External Entity (XXE) Injection | cvebase