CVE-2018-11048

EUVD-2018-3092

10.08.2018, 20:29

Dell EMC Data Protection Advisor, versions 6.2, 6,3, 6.4, 6.5 and Dell EMC Integrated Data Protection Appliance (IDPA) versions 2.0, 2.1 contain a XML External Entity (XXE) Injection vulnerability in the REST API. An authenticated remote malicious user could potentially exploit this vulnerability to read certain system files in the server or cause denial of service by supplying specially crafted Document Type Definitions (DTDs) in an XML request.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	8.1 HIGH	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 59%

Affected Products (NVD)

Vendor	Product	Version
dell	emc_data_protection_advisor	6.2
dell	emc_data_protection_advisor	6.3
dell	emc_data_protection_advisor	6.4
dell	emc_data_protection_advisor	6.5
dell	emc_integrated_data_protection_appliance	2.0
dell	emc_integrated_data_protection_appliance	2.1

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-611 - Improper Restriction of XML External Entity Reference
The software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

References

http://seclists.org/fulldisclosure/2018/Aug/5

http://www.securityfocus.com/bid/105130

http://www.securitytracker.com/id/1041417

http://seclists.org/fulldisclosure/2018/Aug/5

http://www.securityfocus.com/bid/105130

http://www.securitytracker.com/id/1041417