{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-37536", "assignerOrgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc", "state": "PUBLISHED", "assignerShortName": "HCL", "dateReserved": "2023-07-06T16:29:45.713Z", "datePublished": "2023-10-11T06:46:01.750Z", "dateUpdated": "2024-08-02T17:16:30.600Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "BigFix Platform", "vendor": "HCL Software", "versions": [{"status": "affected", "version": "9.5 - 9.5.22, 10 - 10.0.9"}]}], "datePublic": "2023-09-28T18:26:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">An integer overflow in xerces-c++ 3.2.3 in BigFix Platform allows remote attackers to cause out-of-bound access via HTTP request.</span>"}], "value": "An integer overflow in xerces-c++ 3.2.3 in BigFix Platform allows remote attackers to cause out-of-bound access via HTTP request."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "providerMetadata": {"orgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc", "shortName": "HCL", "dateUpdated": "2023-10-11T06:46:01.750Z"}, "references": [{"url": "https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0107791"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DAOSSJ72CUJ535VRWTCVQKUYT2LYR3OM/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7A6WWL4SWKAVYK6VK5YN7KZP4MZWC7IY/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AJYZUBGPVWJ7LEHRCMB5XVADQBNGURXD/"}, {"url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00027.html"}], "source": {"discovery": "UNKNOWN"}, "title": "HCL BigFix Platform is vulnerable to an integer overflow in xerces-c++ 3.2.3", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-680", "lang": "en", "description": "CWE-680 Integer Overflow to Buffer Overflow"}]}], "affected": [{"vendor": "hcltech", "product": "bigfix_platform", "cpes": ["cpe:2.3:a:hcltech:bigfix_platform:10:*:*:*:*:*:*:*", "cpe:2.3:a:hcltech:bigfix_platform:9.5:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "10", "status": "affected", "lessThanOrEqual": "9.5.22", "versionType": "semver"}, {"version": "9.5", "status": "affected", "lessThanOrEqual": "10.0.9", "versionType": "semver"}]}, {"vendor": "fedoraproject", "product": "fedora", "cpes": ["cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "37", "status": "affected"}, {"version": "38", "status": "affected"}, {"version": "39", "status": "affected"}]}, {"vendor": "apache", "product": "xerces-c\\+\\+", "cpes": ["cpe:2.3:a:apache:xerces-c\\+\\+:3.2.2:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "3.2.2", "status": "affected"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-19T03:55:41.734161Z", "id": "CVE-2023-37536", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-19T13:05:26.588Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T17:16:30.600Z"}, "title": "CVE Program Container", "references": [{"url": "https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0107791", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DAOSSJ72CUJ535VRWTCVQKUYT2LYR3OM/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7A6WWL4SWKAVYK6VK5YN7KZP4MZWC7IY/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AJYZUBGPVWJ7LEHRCMB5XVADQBNGURXD/", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00027.html", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0107791", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DAOSSJ72CUJ535VRWTCVQKUYT2LYR3OM/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7A6WWL4SWKAVYK6VK5YN7KZP4MZWC7IY/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AJYZUBGPVWJ7LEHRCMB5XVADQBNGURXD/", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00027.html", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T17:16:30.600Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-37536", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-07-19T03:55:41.734161Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:hcltech:bigfix_platform:10:*:*:*:*:*:*:*", "cpe:2.3:a:hcltech:bigfix_platform:9.5:*:*:*:*:*:*:*"], "vendor": "hcltech", "product": "bigfix_platform", "versions": [{"status": "affected", "version": "10", "versionType": "semver", "lessThanOrEqual": "9.5.22"}, {"status": "affected", "version": "9.5", "versionType": "semver", "lessThanOrEqual": "10.0.9"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*"], "vendor": "fedoraproject", "product": "fedora", "versions": [{"status": "affected", "version": "37"}, {"status": "affected", "version": "38"}, {"status": "affected", "version": "39"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:apache:xerces-c\\+\\+:3.2.2:*:*:*:*:*:*:*"], "vendor": "apache", "product": "xerces-c\\+\\+", "versions": [{"status": "affected", "version": "3.2.2"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-680", "description": "CWE-680 Integer Overflow to Buffer Overflow"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-19T13:01:14.287Z"}}], "cna": {"title": "HCL BigFix Platform is vulnerable to an integer overflow in xerces-c++ 3.2.3", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:H", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "HCL Software", "product": "BigFix Platform", "versions": [{"status": "affected", "version": "9.5 - 9.5.22, 10 - 10.0.9"}], "defaultStatus": "unaffected"}], "datePublic": "2023-09-28T18:26:00.000Z", "references": [{"url": "https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0107791"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DAOSSJ72CUJ535VRWTCVQKUYT2LYR3OM/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7A6WWL4SWKAVYK6VK5YN7KZP4MZWC7IY/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AJYZUBGPVWJ7LEHRCMB5XVADQBNGURXD/"}, {"url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00027.html"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "An integer overflow in xerces-c++ 3.2.3 in BigFix Platform allows remote attackers to cause out-of-bound access via HTTP request.", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">An integer overflow in xerces-c++ 3.2.3 in BigFix Platform allows remote attackers to cause out-of-bound access via HTTP request.</span>", "base64": false}]}], "providerMetadata": {"orgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc", "shortName": "HCL", "dateUpdated": "2023-10-11T06:46:01.750Z"}}}, "cveMetadata": {"cveId": "CVE-2023-37536", "state": "PUBLISHED", "dateUpdated": "2024-08-02T17:16:30.600Z", "dateReserved": "2023-07-06T16:29:45.713Z", "assignerOrgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc", "datePublished": "2023-10-11T06:46:01.750Z", "assignerShortName": "HCL"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:xerces-c\\+\\+:3.2.3:*:*:*:*:*:*:*", "matchCriteriaId": "D12DE323-B495-4294-B491-D18A2134D3E3", "vulnerable": true}, {"criteria": "cpe:2.3:a:hcltech:bigfix_platform:*:*:*:*:*:*:*:*", "matchCriteriaId": "C944AE77-DEF5-4AF7-A900-F82CB023F5FD", "versionEndExcluding": "9.5.23", "versionStartIncluding": "9.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:hcltech:bigfix_platform:*:*:*:*:*:*:*:*", "matchCriteriaId": "5D9C29D2-7B7C-4040-9451-BAB1FB5E4D28", "versionEndExcluding": "10.0.10", "versionStartIncluding": "10.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*", "matchCriteriaId": "E30D0E6F-4AE8-4284-8716-991DFA48CC5D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An integer overflow in xerces-c++ 3.2.3 in BigFix Platform allows remote attackers to cause out-of-bound access via HTTP request."}, {"lang": "es", "value": "Un desbordamiento de enteros de xerces-c++ 3.2.3 en BigFix Platform permite a atacantes remotos provocar acceso fuera de l\u00edmites a trav\u00e9s de una solicitud HTTP."}], "id": "CVE-2023-37536", "lastModified": "2024-08-01T13:44:10.753", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:H", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 5.3, "source": "psirt@hcl.com", "type": "Secondary"}]}, "published": "2023-10-11T07:15:10.580", "references": [{"source": "psirt@hcl.com", "url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00027.html"}, {"source": "psirt@hcl.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7A6WWL4SWKAVYK6VK5YN7KZP4MZWC7IY/"}, {"source": "psirt@hcl.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AJYZUBGPVWJ7LEHRCMB5XVADQBNGURXD/"}, {"source": "psirt@hcl.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DAOSSJ72CUJ535VRWTCVQKUYT2LYR3OM/"}, {"source": "psirt@hcl.com", "tags": ["Vendor Advisory"], "url": "https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0107791"}], "sourceIdentifier": "psirt@hcl.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-190"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-680"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2024:8795", "cpe": "cpe:/o:redhat:rhel_els:7", "package": "xerces-c-0:3.1.1-10.el7_9.1", "product_name": "Red Hat Enterprise Linux 7 Extended Lifecycle Support", "release_date": "2024-11-04T00:00:00Z"}], "bugzilla": {"description": "xerces-c: An integer overflow issue that allows remote attackers to cause out-of-bound access via HTTP request", "id": "2243426", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2243426"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-190", "details": ["An integer overflow in xerces-c++ 3.2.3 in BigFix Platform allows remote attackers to cause out-of-bound access via HTTP request.", "An integer overflow exists in xerces-c++. This flaw allows an attacker using a specially crafted HTTP request payload to trigger an out-of-bounds read, resulting in a loss of confidentiality, integrity, and availability."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2023-37536", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "xerces-c", "product_name": "Red Hat Enterprise Linux 6"}], "public_date": "2023-10-11T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-37536\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-37536\nhttps://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0107791"], "statement": "RHEL-6 is Out of Support Scope. \nhttps://access.redhat.com/articles/4997301", "threat_severity": "Important", "upstream_fix": "xerces-c 3.2.4"}