CVE-2013-7140 - OpenCVE

XML External Entity (XXE) vulnerability in the CalDAV interface in Open-Xchange (OX) AppSuite 7.4.1 and earlier allows remote authenticated users to read portions of arbitrary files via vectors related to the SAX builder and the WebDAV interface. NOTE: this issue has been labeled as both absolute path traversal and XXE, but the root cause may be XXE, since XXE can be exploited to conduct absolute path traversal and other attacks.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:S/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Open-xchange	Open-xchange Appsuite

Configuration 1 [-]

OR	cpe:2.3:a:open-xchange:open-xchange_appsuite::::::::
	cpe:2.3:a:open-xchange:open-xchange_appsuite:6.20.7:::::::*
	cpe:2.3:a:open-xchange:open-xchange_appsuite:6.22.0:::::::*
	cpe:2.3:a:open-xchange:open-xchange_appsuite:6.22.1:::::::*
	cpe:2.3:a:open-xchange:open-xchange_appsuite:7.0.1:::::::*
	cpe:2.3:a:open-xchange:open-xchange_appsuite:7.0.2:::::::*
	cpe:2.3:a:open-xchange:open-xchange_appsuite:7.2.0:::::::*
	cpe:2.3:a:open-xchange:open-xchange_appsuite:7.2.1:::::::*
	cpe:2.3:a:open-xchange:open-xchange_appsuite:7.2.2:::::::*
	cpe:2.3:a:open-xchange:open-xchange_appsuite:7.4.0:::::::*

No data.

References

Link	Providers
http://seclists.org/bugtraq/2014/Jan/57
http://www.osvdb.org/102194
http://www.securityfocus.com/bid/65015
http://www.securitytracker.com/id/1029650
https://exchange.xforce.ibmcloud.com/vulnerabilities/90543

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2014-01-26T20:00:00

Updated: 2024-08-06T18:01:19.433Z

Reserved: 2013-12-18T00:00:00

Link: CVE-2013-7140

Vulnrichment

No data.

NVD

Status : Modified

Published: 2014-01-26T20:55:05.877

Modified: 2017-08-29T01:34:04.467

Link: CVE-2013-7140

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2014-01-17T00:00:00", "descriptions": [{"lang": "en", "value": "XML External Entity (XXE) vulnerability in the CalDAV interface in Open-Xchange (OX) AppSuite 7.4.1 and earlier allows remote authenticated users to read portions of arbitrary files via vectors related to the SAX builder and the WebDAV interface. NOTE: this issue has been labeled as both absolute path traversal and XXE, but the root cause may be XXE, since XXE can be exploited to conduct absolute path traversal and other attacks."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-08-28T12:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "openxchange-cve20137140-info-disclosure(90543)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90543"}, {"name": "65015", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/65015"}, {"name": "102194", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://www.osvdb.org/102194"}, {"name": "1029650", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1029650"}, {"name": "20140117 Open-Xchange Security Advisory 2014-01-17", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://seclists.org/bugtraq/2014/Jan/57"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2013-7140", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "XML External Entity (XXE) vulnerability in the CalDAV interface in Open-Xchange (OX) AppSuite 7.4.1 and earlier allows remote authenticated users to read portions of arbitrary files via vectors related to the SAX builder and the WebDAV interface. NOTE: this issue has been labeled as both absolute path traversal and XXE, but the root cause may be XXE, since XXE can be exploited to conduct absolute path traversal and other attacks."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "openxchange-cve20137140-info-disclosure(90543)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90543"}, {"name": "65015", "refsource": "BID", "url": "http://www.securityfocus.com/bid/65015"}, {"name": "102194", "refsource": "OSVDB", "url": "http://www.osvdb.org/102194"}, {"name": "1029650", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1029650"}, {"name": "20140117 Open-Xchange Security Advisory 2014-01-17", "refsource": "BUGTRAQ", "url": "http://seclists.org/bugtraq/2014/Jan/57"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T18:01:19.433Z"}, "title": "CVE Program Container", "references": [{"name": "openxchange-cve20137140-info-disclosure(90543)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90543"}, {"name": "65015", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/65015"}, {"name": "102194", "tags": ["vdb-entry", "x_refsource_OSVDB", "x_transferred"], "url": "http://www.osvdb.org/102194"}, {"name": "1029650", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id/1029650"}, {"name": "20140117 Open-Xchange Security Advisory 2014-01-17", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://seclists.org/bugtraq/2014/Jan/57"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2013-7140", "datePublished": "2014-01-26T20:00:00", "dateReserved": "2013-12-18T00:00:00", "dateUpdated": "2024-08-06T18:01:19.433Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:open-xchange:open-xchange_appsuite:*:*:*:*:*:*:*:*", "matchCriteriaId": "567B4139-220A-46A7-B847-616F99A1EA66", "versionEndIncluding": "7.4.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:open-xchange:open-xchange_appsuite:6.20.7:*:*:*:*:*:*:*", "matchCriteriaId": "983E5F3A-E7AD-4CCA-80D4-9C012AFCCDD4", "vulnerable": true}, {"criteria": "cpe:2.3:a:open-xchange:open-xchange_appsuite:6.22.0:*:*:*:*:*:*:*", "matchCriteriaId": "2F85EE0C-B7A0-455A-96F6-E4E6BA5D7216", "vulnerable": true}, {"criteria": "cpe:2.3:a:open-xchange:open-xchange_appsuite:6.22.1:*:*:*:*:*:*:*", "matchCriteriaId": "2D9572CB-9A46-492E-BDCC-E01849EF0EC0", "vulnerable": true}, {"criteria": "cpe:2.3:a:open-xchange:open-xchange_appsuite:7.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "138461CD-9C27-40E5-B7A0-A37737B6E942", "vulnerable": true}, {"criteria": "cpe:2.3:a:open-xchange:open-xchange_appsuite:7.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "108BCEFD-3098-4919-9B0C-E80F6FA1C102", "vulnerable": true}, {"criteria": "cpe:2.3:a:open-xchange:open-xchange_appsuite:7.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "DDBB02DF-1022-4FE5-B5E1-198DC58F8C1B", "vulnerable": true}, {"criteria": "cpe:2.3:a:open-xchange:open-xchange_appsuite:7.2.1:*:*:*:*:*:*:*", "matchCriteriaId": "2BF31219-8390-4676-A9C4-D625A016C71E", "vulnerable": true}, {"criteria": "cpe:2.3:a:open-xchange:open-xchange_appsuite:7.2.2:*:*:*:*:*:*:*", "matchCriteriaId": "75B04598-67CD-420B-92C9-9A7459295E11", "vulnerable": true}, {"criteria": "cpe:2.3:a:open-xchange:open-xchange_appsuite:7.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "8DAEED7B-C295-42B4-A60B-2EAA596E3D65", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "XML External Entity (XXE) vulnerability in the CalDAV interface in Open-Xchange (OX) AppSuite 7.4.1 and earlier allows remote authenticated users to read portions of arbitrary files via vectors related to the SAX builder and the WebDAV interface. NOTE: this issue has been labeled as both absolute path traversal and XXE, but the root cause may be XXE, since XXE can be exploited to conduct absolute path traversal and other attacks."}, {"lang": "es", "value": "Vulnerabilidad en entidades externas XML (XXE) en la interfaz de CalDAV en Open-Xchange (OX) AppSuite 7.4.1 y anteriores permite a usuarios remotos autenticados leer porciones de archivos arbitrarios a trav\u00e9s de vectores relacionados con el constructor de SAX y la interfaz de WebDAV. NOTA: este problema ha sido etiquetado como tanto como de recorrido ruta absoluta y XXE, pero la causa raiz puede ser XXE, ya XXE puede ser explotado para realizar el recorrido ruta absoluta y otros ataques."}], "evaluatorComment": "CWE-611: Improper Restriction of XML External Entity Reference ('XXE')", "id": "CVE-2013-7140", "lastModified": "2017-08-29T01:34:04.467", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2014-01-26T20:55:05.877", "references": [{"source": "cve@mitre.org", "url": "http://seclists.org/bugtraq/2014/Jan/57"}, {"source": "cve@mitre.org", "url": "http://www.osvdb.org/102194"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/65015"}, {"source": "cve@mitre.org", "url": "http://www.securitytracker.com/id/1029650"}, {"source": "cve@mitre.org", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90543"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}