CVE-2013-5372

The XML4J parser in IBM WebSphere Message Broker 6.1 before 6.1.0.12, 7.0 before 7.0.0.7, and 8.0 before 8.0.0.4 and IBM Integration Bus 9.0 before 9.0.0.1 allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document that triggers expansion for many entities.

CVSS v2.0 4.3 MEDIUM

4.3^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:N/C:N/I:N/A:P

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

References

Link	Resource
http://www-01.ibm.com/support/docview.wss?uid=swg21653087	Vendor Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg1IC96473
http://www-01.ibm.com/support/docview.wss?uid=swg21655201
http://www-01.ibm.com/support/docview.wss?uid=swg21655202
https://www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Update_November_2013
http://rhn.redhat.com/errata/RHSA-2013-1507.html
http://lists.opensuse.org/opensuse-security-announce/2013-11/msg00013.html
http://rhn.redhat.com/errata/RHSA-2013-1508.html
http://rhn.redhat.com/errata/RHSA-2013-1509.html
http://rhn.redhat.com/errata/RHSA-2013-1793.html
http://secunia.com/advisories/56338
https://exchange.xforce.ibmcloud.com/vulnerabilities/86662

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:ibm:websphere_message_broker:6.1.0.1:::::::*
	cpe:2.3:a:ibm:websphere_message_broker:6.1.0.10:::::::*
	cpe:2.3:a:ibm:websphere_message_broker:6.1.0.4:::::::*
	cpe:2.3:a:ibm:websphere_message_broker:6.1.0.5:::::::*
	cpe:2.3:a:ibm:websphere_message_broker:6.1:::::::*
	cpe:2.3:a:ibm:websphere_message_broker:6.1.0.7:::::::*
	cpe:2.3:a:ibm:websphere_message_broker:6.1.0.6:::::::*
	cpe:2.3:a:ibm:websphere_message_broker:6.1.0.8:::::::*
	cpe:2.3:a:ibm:websphere_message_broker:6.1.0.9:::::::*
	cpe:2.3:a:ibm:websphere_message_broker:6.1.0.11:::::::*
	cpe:2.3:a:ibm:websphere_message_broker:6.1.0.2:::::::*
	cpe:2.3:a:ibm:websphere_message_broker:6.1.0.3:::::::*

Configuration 2 (hide)

OR	cpe:2.3:a:ibm:websphere_message_broker:8.0:::::::*
	cpe:2.3:a:ibm:websphere_message_broker:8.0.0.1:::::::*
	cpe:2.3:a:ibm:websphere_message_broker:8.0.0.2:::::::*
	cpe:2.3:a:ibm:websphere_message_broker:8.0.0.3:::::::*

Configuration 3 (hide)

OR	cpe:2.3:a:ibm:websphere_message_broker:7.0.0.3:::::::*
	cpe:2.3:a:ibm:websphere_message_broker:7.0.0.4:::::::*
	cpe:2.3:a:ibm:websphere_message_broker:7.0.0.5:::::::*
	cpe:2.3:a:ibm:websphere_message_broker:7.0.0.6:::::::*
	cpe:2.3:a:ibm:websphere_message_broker:7.0.:::::::*
	cpe:2.3:a:ibm:websphere_message_broker:7.0.0.1:::::::*
	cpe:2.3:a:ibm:websphere_message_broker:7.0.0.2:::::::*

Information

Published : 2013-10-19 03:36

Updated : 2017-08-28 18:33

NVD link : CVE-2013-5372

Mitre link : CVE-2013-5372

JSON object : View

CWE

CWE-399

Resource Management Errors

Products Affected

ibm

websphere_message_broker

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21653087", "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21653087", "tags": ["Vendor Advisory"], "refsource": "CONFIRM"}, {"url": "http://www-01.ibm.com/support/docview.wss?uid=swg1IC96473", "name": "IC96473", "tags": [], "refsource": "AIXAPAR"}, {"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21655201", "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21655201", "tags": [], "refsource": "CONFIRM"}, {"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21655202", "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21655202", "tags": [], "refsource": "CONFIRM"}, {"url": "https://www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Update_November_2013", "name": "https://www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Update_November_2013", "tags": [], "refsource": "CONFIRM"}, {"url": "http://rhn.redhat.com/errata/RHSA-2013-1507.html", "name": "RHSA-2013:1507", "tags": [], "refsource": "REDHAT"}, {"url": "http://lists.opensuse.org/opensuse-security-announce/2013-11/msg00013.html", "name": "SUSE-SU-2013:1677", "tags": [], "refsource": "SUSE"}, {"url": "http://rhn.redhat.com/errata/RHSA-2013-1508.html", "name": "RHSA-2013:1508", "tags": [], "refsource": "REDHAT"}, {"url": "http://rhn.redhat.com/errata/RHSA-2013-1509.html", "name": "RHSA-2013:1509", "tags": [], "refsource": "REDHAT"}, {"url": "http://rhn.redhat.com/errata/RHSA-2013-1793.html", "name": "RHSA-2013:1793", "tags": [], "refsource": "REDHAT"}, {"url": "http://secunia.com/advisories/56338", "name": "56338", "tags": [], "refsource": "SECUNIA"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/86662", "name": "ibm-xml4j-cve20135372-dos(86662)", "tags": [], "refsource": "XF"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "The XML4J parser in IBM WebSphere Message Broker 6.1 before 6.1.0.12, 7.0 before 7.0.0.7, and 8.0 before 8.0.0.4 and IBM Integration Bus 9.0 before 9.0.0.1 allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document that triggers expansion for many entities."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-399"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2013-5372", "ASSIGNER": "psirt@us.ibm.com"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "NONE"}, "severity": "MEDIUM", "impactScore": 2.9, "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}}, "publishedDate": "2013-10-19T10:36Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:ibm:websphere_message_broker:6.1.0.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:ibm:websphere_message_broker:6.1.0.10:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:ibm:websphere_message_broker:6.1.0.4:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:ibm:websphere_message_broker:6.1.0.5:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:ibm:websphere_message_broker:6.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:ibm:websphere_message_broker:6.1.0.7:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:ibm:websphere_message_broker:6.1.0.6:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:ibm:websphere_message_broker:6.1.0.8:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:ibm:websphere_message_broker:6.1.0.9:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:ibm:websphere_message_broker:6.1.0.11:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:ibm:websphere_message_broker:6.1.0.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:ibm:websphere_message_broker:6.1.0.3:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:ibm:websphere_message_broker:8.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:ibm:websphere_message_broker:8.0.0.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:ibm:websphere_message_broker:8.0.0.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:ibm:websphere_message_broker:8.0.0.3:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:ibm:websphere_message_broker:7.0.0.3:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:ibm:websphere_message_broker:7.0.0.4:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:ibm:websphere_message_broker:7.0.0.5:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:ibm:websphere_message_broker:7.0.0.6:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:ibm:websphere_message_broker:7.0.:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:ibm:websphere_message_broker:7.0.0.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:ibm:websphere_message_broker:7.0.0.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2017-08-29T01:33Z"}

4.3 /10