CVE-2018-13823 - OpenCVE

An XML external entity vulnerability in the XOG functionality, in CA PPM 14.3 and below, 14.4, 15.1, 15.2 CP5 and below, and 15.3 CP2 and below, allows remote attackers to access sensitive information.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Broadcom	Project Portfolio Management
Ca	Project Portfolio Management

Configuration 1 [-]

OR	cpe:2.3:a:broadcom:project_portfolio_management::::::::
	cpe:2.3:a:broadcom:project_portfolio_management:14.4:::::::*
	cpe:2.3:a:broadcom:project_portfolio_management:15.1:::::::*
	cpe:2.3:a:ca:project_portfolio_management:15.2:cp5::::::
	cpe:2.3:a:ca:project_portfolio_management:15.3:cp2::::::

References

Link	Resource
http://www.securityfocus.com/bid/105297	Third Party Advisory VDB Entry
https://support.ca.com/us/product-content/recommended-reading/security-notices/ca20180829-01--security-notice-for-ca-ppm.html	Patch Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: ca

Published: 2018-08-29T00:00:00

Updated: 2018-09-08T09:57:01

Reserved: 2018-07-10T00:00:00

Link: CVE-2018-13823

JSON object: View

NVD Information

Status : Analyzed

Published: 2018-08-30T14:29:01.063

Modified: 2021-04-12T13:43:28.627

Link: CVE-2018-13823

JSON object: View

Redhat Information

No data.

CWE

CWE-611

{"containers": {"cna": {"affected": [{"product": "PPM", "vendor": "CA Technologies", "versions": [{"status": "affected", "version": "15.3 and earlier"}]}], "datePublic": "2018-08-29T00:00:00", "descriptions": [{"lang": "en", "value": "An XML external entity vulnerability in the XOG functionality, in CA PPM 14.3 and below, 14.4, 15.1, 15.2 CP5 and below, and 15.3 CP2 and below, allows remote attackers to access sensitive information."}], "problemTypes": [{"descriptions": [{"description": "XML External Entity (XXE)", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-09-08T09:57:01", "orgId": "e291eae9-7c0a-46ac-ba7d-5251811f8b7f", "shortName": "ca"}, "references": [{"name": "105297", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/105297"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://support.ca.com/us/product-content/recommended-reading/security-notices/ca20180829-01--security-notice-for-ca-ppm.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "vuln@ca.com", "DATE_PUBLIC": "2018-08-29T00:00:00", "ID": "CVE-2018-13823", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "PPM", "version": {"version_data": [{"version_value": "15.3 and earlier"}]}}]}, "vendor_name": "CA Technologies"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An XML external entity vulnerability in the XOG functionality, in CA PPM 14.3 and below, 14.4, 15.1, 15.2 CP5 and below, and 15.3 CP2 and below, allows remote attackers to access sensitive information."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "XML External Entity (XXE)"}]}]}, "references": {"reference_data": [{"name": "105297", "refsource": "BID", "url": "http://www.securityfocus.com/bid/105297"}, {"name": "https://support.ca.com/us/product-content/recommended-reading/security-notices/ca20180829-01--security-notice-for-ca-ppm.html", "refsource": "CONFIRM", "url": "https://support.ca.com/us/product-content/recommended-reading/security-notices/ca20180829-01--security-notice-for-ca-ppm.html"}]}}}}, "cveMetadata": {"assignerOrgId": "e291eae9-7c0a-46ac-ba7d-5251811f8b7f", "assignerShortName": "ca", "cveId": "CVE-2018-13823", "datePublished": "2018-08-29T00:00:00", "dateReserved": "2018-07-10T00:00:00", "dateUpdated": "2018-09-08T09:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:broadcom:project_portfolio_management:*:*:*:*:*:*:*:*", "matchCriteriaId": "0E2B0528-B1EB-421D-BB2D-88D6B32E798B", "versionEndIncluding": "14.3", "vulnerable": true}, {"criteria": "cpe:2.3:a:broadcom:project_portfolio_management:14.4:*:*:*:*:*:*:*", "matchCriteriaId": "B0ADEFB0-9DFF-4F7C-B23B-5BDEC0DF9CED", "vulnerable": true}, {"criteria": "cpe:2.3:a:broadcom:project_portfolio_management:15.1:*:*:*:*:*:*:*", "matchCriteriaId": "78CE337F-8A8B-47E4-8E23-1DF13CC1591E", "vulnerable": true}, {"criteria": "cpe:2.3:a:ca:project_portfolio_management:15.2:cp5:*:*:*:*:*:*", "matchCriteriaId": "9E5E2436-DAA7-4C4D-89DB-F9D6BDC292DA", "vulnerable": true}, {"criteria": "cpe:2.3:a:ca:project_portfolio_management:15.3:cp2:*:*:*:*:*:*", "matchCriteriaId": "4705AC24-8C61-4B2C-85C0-98D17366CA23", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An XML external entity vulnerability in the XOG functionality, in CA PPM 14.3 and below, 14.4, 15.1, 15.2 CP5 and below, and 15.3 CP2 and below, allows remote attackers to access sensitive information."}, {"lang": "es", "value": "Una vulnerabilidad de XEE (XML External Entity) en la funcionalidad XOG de CA PPM 14.3 y anteriores, 14.4, 15.1, 15.2 CP5 y anteriores y 15.3 CP2 y anteriores permite que los atacantes remotos accedan a informaci\u00f3n sensible."}], "id": "CVE-2018-13823", "lastModified": "2021-04-12T13:43:28.627", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-08-30T14:29:01.063", "references": [{"source": "vuln@ca.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/105297"}, {"source": "vuln@ca.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://support.ca.com/us/product-content/recommended-reading/security-notices/ca20180829-01--security-notice-for-ca-ppm.html"}], "sourceIdentifier": "vuln@ca.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-611"}], "source": "nvd@nist.gov", "type": "Primary"}]}