CVE-2014-3087

callService.do in IBM Business Process Manager (BPM) 7.5 through 8.5.5 and WebSphere Lombardi Edition 7.2 through 7.2.0.5 allows remote authenticated users to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4 UNKNOWN
NETWORK
LOW
AV:N/AC:L/Au:S/C:P/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
ibmbusiness_process_manager
7.5.0.0
ibmbusiness_process_manager
7.5.0.1
ibmbusiness_process_manager
7.5.1.0
ibmbusiness_process_manager
7.5.1.1
ibmbusiness_process_manager
7.5.1.2
ibmbusiness_process_manager
8.0.0.0
ibmbusiness_process_manager
8.0.1.0
ibmbusiness_process_manager
8.0.1.1
ibmbusiness_process_manager
8.0.1.2
ibmbusiness_process_manager
8.5.0.0
ibmbusiness_process_manager
8.5.0.1
ibmbusiness_process_manager
8.5.5.0
ibmwebsphere_application_server
7.2
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://secunia.com/advisories/60752
http://secunia.com/advisories/60755
http://secunia.com/advisories/60757
http://www-01.ibm.com/support/docview.wss?uid=swg1JR50616
http://www-01.ibm.com/support/docview.wss?uid=swg21679726
http://www.securityfocus.com/bid/69264
https://exchange.xforce.ibmcloud.com/vulnerabilities/94112
http://secunia.com/advisories/60752
http://secunia.com/advisories/60755
http://secunia.com/advisories/60757
http://www-01.ibm.com/support/docview.wss?uid=swg1JR50616
http://www-01.ibm.com/support/docview.wss?uid=swg21679726
http://www.securityfocus.com/bid/69264
https://exchange.xforce.ibmcloud.com/vulnerabilities/94112