CVE-2002-1252

The Application Messaging Gateway for PeopleTools 8.1x before 8.19, as used in various PeopleSoft products, allows remote attackers to read arbitrary files via certain XML External Entities (XXE) fields in an HTTP POST request that is processed by the SimpleFileHandler handler.

CVSS v2.0 5.0 MEDIUM

5.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21811	Vendor Advisory
http://www.iss.net/security_center/static/10520.php	Patch Vendor Advisory
http://www.securityfocus.com/bid/6647

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:peoplesoft:peopletools:8.15:::::::*
	cpe:2.3:a:peoplesoft:peopletools:8.17:::::::*
	cpe:2.3:a:peoplesoft:peopletools:8.18:::::::*
	cpe:2.3:a:peoplesoft:peopletools:8.14:::::::*
	cpe:2.3:a:peoplesoft:peopletools:8.16:::::::*

Information

Published : 2003-02-06 21:00

Updated : 2008-09-10 12:14

NVD link : CVE-2002-1252

Mitre link : CVE-2002-1252

JSON object : View

CWE

NVD-CWE-Other

Products Affected

peoplesoft

peopletools

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21811", "name": "20030120 PeopleSoft XML External Entities Vulnerability", "tags": ["Vendor Advisory"], "refsource": "ISS"}, {"url": "http://www.iss.net/security_center/static/10520.php", "name": "peoplesoft-xxe-read-files(10520)", "tags": ["Patch", "Vendor Advisory"], "refsource": "XF"}, {"url": "http://www.securityfocus.com/bid/6647", "name": "6647", "tags": [], "refsource": "BID"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "The Application Messaging Gateway for PeopleTools 8.1x before 8.19, as used in various PeopleSoft products, allows remote attackers to read arbitrary files via certain XML External Entities (XXE) fields in an HTTP POST request that is processed by the SimpleFileHandler handler."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2002-1252", "ASSIGNER": "cve@mitre.org"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "severity": "MEDIUM", "impactScore": 2.9, "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}}, "publishedDate": "2003-02-07T05:00Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:peoplesoft:peopletools:8.15:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:peoplesoft:peopletools:8.17:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:peoplesoft:peopletools:8.18:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:peoplesoft:peopletools:8.14:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:peoplesoft:peopletools:8.16:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2008-09-10T19:14Z"}

5.0 /10