CVE-2018-6486 - OpenCVE

XML External Entity (XXE) vulnerability in Micro Focus Fortify Audit Workbench (AWB) and Micro Focus Fortify Software Security Center (SSC), versions 16.10, 16.20, 17.10. This vulnerability could be exploited to allow a XML External Entity (XXE) injection.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Microfocus	Fortify Audit Workbench Fortify Software Security Center

Configuration 1 [-]

OR	cpe:2.3:a:microfocus:fortify_audit_workbench:16.10:::::::*
	cpe:2.3:a:microfocus:fortify_audit_workbench:16.20:::::::*
	cpe:2.3:a:microfocus:fortify_audit_workbench:17.10:::::::*

Configuration 2 [-]

OR	cpe:2.3:a:microfocus:fortify_software_security_center:16.10:::::::*
	cpe:2.3:a:microfocus:fortify_software_security_center:16.20:::::::*
	cpe:2.3:a:microfocus:fortify_software_security_center:17.10:::::::*

No data.

References

Link	Providers
http://www.securityfocus.com/bid/102902
https://softwaresupport.softwaregrp.com/document/-/facetsearch/document/KM03083653

History

No history.

MITRE

Status: PUBLISHED

Assigner: microfocus

Published: 2018-02-02T14:00:00Z

Updated: 2024-09-16T16:28:00.284Z

Reserved: 2018-02-01T00:00:00

Link: CVE-2018-6486

Vulnrichment

No data.

NVD

Status : Modified

Published: 2018-02-02T14:29:01.497

Modified: 2023-11-07T02:59:54.853

Link: CVE-2018-6486

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Fortify Audit Workbench (AWB) and Micro Focus Fortify Software Security Center (SSC)", "vendor": "Micro Focus", "versions": [{"status": "affected", "version": "16.10, 16.20, 17.10"}]}], "credits": [{"lang": "en", "value": "Micro Focus would like to thank Jakub Palaczynski for reporting this issue to security-alert@hpe.com"}], "datePublic": "2018-02-01T00:00:00", "descriptions": [{"lang": "en", "value": "XML External Entity (XXE) vulnerability in Micro Focus Fortify Audit Workbench (AWB) and Micro Focus Fortify Software Security Center (SSC), versions 16.10, 16.20, 17.10. This vulnerability could be exploited to allow a XML External Entity (XXE) injection."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"description": "XML External Entity (XXE)", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-01-06T16:15:24", "orgId": "f81092c5-7f14-476d-80dc-24857f90be84", "shortName": "microfocus"}, "references": [{"name": "102902", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/102902"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://softwaresupport.softwaregrp.com/document/-/facetsearch/document/KM03083653"}], "title": "MFSBGN03797 rev.1 - Micro Focus Fortify Audit Workbench (AWB) and Micro Focus Fortify Software Security Center (SSC), XML External Entity Injection", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@microfocus.com", "DATE_PUBLIC": "2018-02-01T18:58:00.000Z", "ID": "CVE-2018-6486", "STATE": "PUBLIC", "TITLE": "MFSBGN03797 rev.1 - Micro Focus Fortify Audit Workbench (AWB) and Micro Focus Fortify Software Security Center (SSC), XML External Entity Injection"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Fortify Audit Workbench (AWB) and Micro Focus Fortify Software Security Center (SSC)", "version": {"version_data": [{"version_value": "16.10, 16.20, 17.10"}]}}]}, "vendor_name": "Micro Focus"}]}}, "credit": ["Micro Focus would like to thank Jakub Palaczynski for reporting this issue to security-alert@hpe.com"], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "XML External Entity (XXE) vulnerability in Micro Focus Fortify Audit Workbench (AWB) and Micro Focus Fortify Software Security Center (SSC), versions 16.10, 16.20, 17.10. This vulnerability could be exploited to allow a XML External Entity (XXE) injection."}]}, "exploit": "XML External Entity (XXE)", "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "XML External Entity (XXE)"}]}]}, "references": {"reference_data": [{"name": "102902", "refsource": "BID", "url": "http://www.securityfocus.com/bid/102902"}, {"name": "https://softwaresupport.softwaregrp.com/document/-/facetsearch/document/KM03083653", "refsource": "CONFIRM", "url": "https://softwaresupport.softwaregrp.com/document/-/facetsearch/document/KM03083653"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T06:01:49.279Z"}, "title": "CVE Program Container", "references": [{"name": "102902", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/102902"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://softwaresupport.softwaregrp.com/document/-/facetsearch/document/KM03083653"}]}]}, "cveMetadata": {"assignerOrgId": "f81092c5-7f14-476d-80dc-24857f90be84", "assignerShortName": "microfocus", "cveId": "CVE-2018-6486", "datePublished": "2018-02-02T14:00:00Z", "dateReserved": "2018-02-01T00:00:00", "dateUpdated": "2024-09-16T16:28:00.284Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microfocus:fortify_audit_workbench:16.10:*:*:*:*:*:*:*", "matchCriteriaId": "DCAC9EC0-3C36-465E-9687-B61BB7E5CD2B", "vulnerable": true}, {"criteria": "cpe:2.3:a:microfocus:fortify_audit_workbench:16.20:*:*:*:*:*:*:*", "matchCriteriaId": "ADB15BAB-2A01-4505-B23A-6733FEA144F8", "vulnerable": true}, {"criteria": "cpe:2.3:a:microfocus:fortify_audit_workbench:17.10:*:*:*:*:*:*:*", "matchCriteriaId": "52BE8B0D-5180-4277-9A5B-0DF0C89A9FDB", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microfocus:fortify_software_security_center:16.10:*:*:*:*:*:*:*", "matchCriteriaId": "BA657021-3719-4055-BE1F-6402E976D68E", "vulnerable": true}, {"criteria": "cpe:2.3:a:microfocus:fortify_software_security_center:16.20:*:*:*:*:*:*:*", "matchCriteriaId": "4C7D5750-8985-4AE0-B3AE-D31E278027AC", "vulnerable": true}, {"criteria": "cpe:2.3:a:microfocus:fortify_software_security_center:17.10:*:*:*:*:*:*:*", "matchCriteriaId": "9E137D7D-8108-4EE2-9800-EAC66AB82D77", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "XML External Entity (XXE) vulnerability in Micro Focus Fortify Audit Workbench (AWB) and Micro Focus Fortify Software Security Center (SSC), versions 16.10, 16.20, 17.10. This vulnerability could be exploited to allow a XML External Entity (XXE) injection."}, {"lang": "es", "value": "Vulnerabilidad XEE (XML External Entity) en Micro Focus Fortify Audit Workbench (AWB) y Micro Focus Fortify Software Security Center (SSC), versiones 16.10, 16.20 y 17.10. Esta vulnerabilidad podr\u00eda ser explotada para permitir inyecci\u00f3n XEE (XML External Entity)."}], "id": "CVE-2018-6486", "lastModified": "2023-11-07T02:59:54.853", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "security@opentext.com", "type": "Secondary"}]}, "published": "2018-02-02T14:29:01.497", "references": [{"source": "security@opentext.com", "url": "http://www.securityfocus.com/bid/102902"}, {"source": "security@opentext.com", "url": "https://softwaresupport.softwaregrp.com/document/-/facetsearch/document/KM03083653"}], "sourceIdentifier": "security@opentext.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-611"}], "source": "nvd@nist.gov", "type": "Primary"}]}