CVE-2015-6463 - OpenCVE

CodeWrights HART Comm DTM components, as used with Endress+Hauser FieldCare, allow remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via a longtag XML schema containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Adjacent Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:A/AC:L/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Codewrights	Hart Comm Dtm
Endress\+hauser	Hart Comm Dtm

Configuration 1 [-]

OR	cpe:2.3:o:codewrights:hart_comm_dtm::::::::
	cpe:2.3:o:endress\+hauser:hart_comm_dtm::::::::

No data.

References

Link	Providers
https://ics-cert.us-cert.gov/advisories/ICSA-15-267-01

History

No history.

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2015-09-28T01:00:00

Updated: 2024-08-06T07:22:21.619Z

Reserved: 2015-08-17T00:00:00

Link: CVE-2015-6463

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2015-09-28T02:59:14.027

Modified: 2015-09-29T19:17:10.750

Link: CVE-2015-6463

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2015-09-24T00:00:00", "descriptions": [{"lang": "en", "value": "CodeWrights HART Comm DTM components, as used with Endress+Hauser FieldCare, allow remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via a longtag XML schema containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2015-09-28T01:57:01", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://ics-cert.us-cert.gov/advisories/ICSA-15-267-01"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "ID": "CVE-2015-6463", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "CodeWrights HART Comm DTM components, as used with Endress+Hauser FieldCare, allow remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via a longtag XML schema containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://ics-cert.us-cert.gov/advisories/ICSA-15-267-01", "refsource": "MISC", "url": "https://ics-cert.us-cert.gov/advisories/ICSA-15-267-01"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T07:22:21.619Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://ics-cert.us-cert.gov/advisories/ICSA-15-267-01"}]}]}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2015-6463", "datePublished": "2015-09-28T01:00:00", "dateReserved": "2015-08-17T00:00:00", "dateUpdated": "2024-08-06T07:22:21.619Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:codewrights:hart_comm_dtm:*:*:*:*:*:*:*:*", "matchCriteriaId": "1F65832F-C54A-4098-BB12-1DAC16A2BE13", "vulnerable": true}, {"criteria": "cpe:2.3:o:endress\\+hauser:hart_comm_dtm:*:*:*:*:*:*:*:*", "matchCriteriaId": "E3A7E4C9-DDCD-413C-87C7-3B460342B1D8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "CodeWrights HART Comm DTM components, as used with Endress+Hauser FieldCare, allow remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via a longtag XML schema containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue."}, {"lang": "es", "value": "Vulnerabilidad en los componentes CodeWrights HART Comm DTM, tal y como se utiliza con Endress+Hauser FieldCare, permite a atacantes remotos leer archivos arbitrario, enviar peticiones HTTP a servidores de la intranet o causar una denegaci\u00f3n de servicio (corrupci\u00f3n de memoria y CPU) a trav\u00e9s de un esquema XML de larga la etiqueta que contiene una declaraci\u00f3n de entidad externa junto con una referencia de entidad, relacionado a un problema de XML External Entity (XXE)."}], "evaluatorComment": "<a href=\"http://cwe.mitre.org/data/definitions/611.html\">CWE-611: Improper Restriction of XML External Entity Reference ('XXE')</a>", "id": "CVE-2015-6463", "lastModified": "2015-09-29T19:17:10.750", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 6.5, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2015-09-28T02:59:14.027", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Patch", "Third Party Advisory", "US Government Resource"], "url": "https://ics-cert.us-cert.gov/advisories/ICSA-15-267-01"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}