CVE-2021-27777 - OpenCVE

XML External Entity (XXE) injection vulnerabilities occur when poorly configured XML parsers process user supplied input without sufficient validation. Attackers can exploit this vulnerability to manipulate XML content and inject malicious external entity references.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Hcltech	Unica

Configuration 1 [-]

cpe:2.3:a:hcltech:unica:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0097124

History

No history.

MITRE

Status: PUBLISHED

Assigner: HCL

Published: 2022-05-12T21:25:31.294598Z

Updated: 2024-09-16T19:31:23.448Z

Reserved: 2021-02-26T00:00:00

Link: CVE-2021-27777

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-05-12T22:15:12.067

Modified: 2022-08-06T03:18:42.187

Link: CVE-2021-27777

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "HCL Unica", "vendor": "HCL Software", "versions": [{"status": "affected", "version": "12 and below"}]}], "datePublic": "2022-04-10T00:00:00", "descriptions": [{"lang": "en", "value": "XML External Entity (XXE) injection vulnerabilities occur when poorly configured XML parsers process user supplied input without sufficient validation. Attackers can exploit this vulnerability to manipulate XML content and inject malicious external entity references."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-91", "description": "CWE-91 XML Injection (aka Blind XPath Injection)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-05-25T16:50:10", "orgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc", "shortName": "HCL"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0097124"}], "source": {"discovery": "UNKNOWN"}, "title": "HCL Unica Platform is vulnerable to XML External Entity (XXE) injection", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@hcl.com", "DATE_PUBLIC": "2022-04-10T00:00:00.000Z", "ID": "CVE-2021-27777", "STATE": "PUBLIC", "TITLE": "HCL Unica Platform is vulnerable to XML External Entity (XXE) injection"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "HCL Unica", "version": {"version_data": [{"version_value": "12 and below"}]}}]}, "vendor_name": "HCL Software"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "XML External Entity (XXE) injection vulnerabilities occur when poorly configured XML parsers process user supplied input without sufficient validation. Attackers can exploit this vulnerability to manipulate XML content and inject malicious external entity references."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-91 XML Injection (aka Blind XPath Injection)"}]}]}, "references": {"reference_data": [{"name": "https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0097124", "refsource": "MISC", "url": "https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0097124"}]}, "source": {"discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T21:26:10.882Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0097124"}]}]}, "cveMetadata": {"assignerOrgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc", "assignerShortName": "HCL", "cveId": "CVE-2021-27777", "datePublished": "2022-05-12T21:25:31.294598Z", "dateReserved": "2021-02-26T00:00:00", "dateUpdated": "2024-09-16T19:31:23.448Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hcltech:unica:*:*:*:*:*:*:*:*", "matchCriteriaId": "633B4227-22EA-48D7-9962-C0880AC6F218", "versionEndExcluding": "12.1.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "XML External Entity (XXE) injection vulnerabilities occur when poorly configured XML parsers process user supplied input without sufficient validation. Attackers can exploit this vulnerability to manipulate XML content and inject malicious external entity references."}, {"lang": "es", "value": "Las vulnerabilidades de inyecci\u00f3n de entidades externas XML (XXE) se producen cuando los analizadores XML configurados inapropiadamente procesan la entrada suministrada por el usuario sin una suficiente combrobaci\u00f3n. Los atacantes pueden explotar esta vulnerabilidad para manipular el contenido XML e inyectar referencias a entidades externas maliciosas"}], "id": "CVE-2021-27777", "lastModified": "2022-08-06T03:18:42.187", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "psirt@hcl.com", "type": "Secondary"}]}, "published": "2022-05-12T22:15:12.067", "references": [{"source": "psirt@hcl.com", "tags": ["Vendor Advisory"], "url": "https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0097124"}], "sourceIdentifier": "psirt@hcl.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-611"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-91"}], "source": "psirt@hcl.com", "type": "Secondary"}]}