CVE-2014-6212

10.01.2015, 02:59

The Echo API in IBM Emptoris Contract Management 9.5.x before 9.5.0.6 iFix11, 10.0.0.x before 10.0.0.1 iFix12, 10.0.1.x before 10.0.1.5 iFix2, and 10.0.2.x before 10.0.2.2 iFix5; Emptoris Sourcing 9.5 before 9.5.1.3 iFix2, 10.0.0.x before 10.0.0.1 iFix1, 10.0.1.x before 10.0.1.3 iFix1, and 10.0.2.x before 10.0.2.5; and Emptoris Program Management (aka PGM) and Strategic Supply Management (aka SSMP) 10.0.0.x before 10.0.0.3 iFix6, 10.0.1.x before 10.0.1.4 iFix1, and 10.0.2.x before 10.0.2.5 allows remote authenticated users to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Vector
NIST	NIST	4 UNKNOWN	NETWORK	LOW	AV:N/AC:L/Au:S/C:P/I:N/A:N
ibm	CNA	---			---
CVE	ADP	---			---

Base Score

CVSS 3.x

EPSS Score

Percentile: 43%

Vendor	Product	Version
ibm	emptoris_sourcing_portfolio	9.5.0.0
ibm	emptoris_sourcing_portfolio	9.5.0.1
ibm	emptoris_sourcing_portfolio	9.5.0.2
ibm	emptoris_sourcing_portfolio	9.5.1.0
ibm	emptoris_sourcing_portfolio	9.5.1.1
ibm	emptoris_sourcing_portfolio	9.5.1.2
ibm	emptoris_sourcing_portfolio	9.5.1.3
ibm	emptoris_sourcing_portfolio	10.0.0.0
ibm	emptoris_sourcing_portfolio	10.0.0.1
ibm	emptoris_sourcing_portfolio	10.0.1.0
ibm	emptoris_sourcing_portfolio	10.0.1.1
ibm	emptoris_sourcing_portfolio	10.0.1.2
ibm	emptoris_sourcing_portfolio	10.0.1.3
ibm	emptoris_sourcing_portfolio	10.0.2.0
ibm	emptoris_sourcing_portfolio	10.0.2.2
ibm	emptoris_sourcing_portfolio	10.0.2.3
ibm	emptoris_sourcing_portfolio	10.0.2.4
ibm	emptoris_program_management	10.0.0.0
ibm	emptoris_program_management	10.0.0.1
ibm	emptoris_program_management	10.0.0.2
ibm	emptoris_program_management	10.0.0.3
ibm	emptoris_program_management	10.0.1.0
ibm	emptoris_program_management	10.0.1.1
ibm	emptoris_program_management	10.0.1.2
ibm	emptoris_program_management	10.0.1.3
ibm	emptoris_program_management	10.0.1.4
ibm	emptoris_program_management	10.0.2.0
ibm	emptoris_program_management	10.0.2.1
ibm	emptoris_program_management	10.0.2.2
ibm	emptoris_program_management	10.0.2.3
ibm	emptoris_program_management	10.0.2.4
ibm	emptoris_contract_management	9.5.0.0
ibm	emptoris_contract_management	9.5.0.1
ibm	emptoris_contract_management	9.5.0.2
ibm	emptoris_contract_management	9.5.0.3
ibm	emptoris_contract_management	9.5.0.4
ibm	emptoris_contract_management	9.5.0.5
ibm	emptoris_contract_management	9.5.0.6
ibm	emptoris_contract_management	10.0.0.0
ibm	emptoris_contract_management	10.0.0.1
ibm	emptoris_contract_management	10.0.1.0
ibm	emptoris_contract_management	10.0.1.1
ibm	emptoris_contract_management	10.0.1.2
ibm	emptoris_contract_management	10.0.1.3
ibm	emptoris_contract_management	10.0.1.4
ibm	emptoris_contract_management	10.0.1.5
ibm	emptoris_contract_management	10.0.2.0
ibm	emptoris_contract_management	10.0.2.1
ibm	emptoris_contract_management	10.0.2.2

𝑥

= Vulnerable software versions

References

http://www-01.ibm.com/support/docview.wss?uid=swg21693069

https://exchange.xforce.ibmcloud.com/vulnerabilities/98689

http://www-01.ibm.com/support/docview.wss?uid=swg21693069

https://exchange.xforce.ibmcloud.com/vulnerabilities/98689