CVE-2020-26513 - OpenCVE

An issue was discovered in Intland codeBeamer ALM 10.x through 10.1.SP4. The ReqIF XML data, used by the codebeamer ALM application to import projects, is parsed by insecurely configured software components, which can be abused for XML External Entity Attacks.

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:M/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Intland	Codebeamer

Configuration 1 [-]

OR	cpe:2.3:a:intland:codebeamer::::::::
	cpe:2.3:a:intland:codebeamer:10.1.0:-::::::
	cpe:2.3:a:intland:codebeamer:10.1.0:sp1::::::
	cpe:2.3:a:intland:codebeamer:10.1.0:sp2::::::
	cpe:2.3:a:intland:codebeamer:10.1.0:sp3::::::
	cpe:2.3:a:intland:codebeamer:10.1.0:sp4::::::

References

Link	Resource
https://compass-security.com/fileadmin/Research/Advisories/2020-09_CSNC-2020-008_Intland_codeBeamer_ALM_XXE.txt	Exploit Third Party Advisory
https://intland.com/codebeamer/application-lifecycle-management/	Product Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2020-12-07T15:26:25

Updated: 2020-12-07T15:26:25

Reserved: 2020-10-02T00:00:00

Link: CVE-2020-26513

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-12-07T16:15:12.153

Modified: 2023-10-18T19:04:17.487

Link: CVE-2020-26513

JSON object: View

Redhat Information

No data.

CWE

CWE-611

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Intland codeBeamer ALM 10.x through 10.1.SP4. The ReqIF XML data, used by the codebeamer ALM application to import projects, is parsed by insecurely configured software components, which can be abused for XML External Entity Attacks."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-12-07T15:26:25", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://intland.com/codebeamer/application-lifecycle-management/"}, {"tags": ["x_refsource_MISC"], "url": "https://compass-security.com/fileadmin/Research/Advisories/2020-09_CSNC-2020-008_Intland_codeBeamer_ALM_XXE.txt"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-26513", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered in Intland codeBeamer ALM 10.x through 10.1.SP4. The ReqIF XML data, used by the codebeamer ALM application to import projects, is parsed by insecurely configured software components, which can be abused for XML External Entity Attacks."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://intland.com/codebeamer/application-lifecycle-management/", "refsource": "MISC", "url": "https://intland.com/codebeamer/application-lifecycle-management/"}, {"name": "https://compass-security.com/fileadmin/Research/Advisories/2020-09_CSNC-2020-008_Intland_codeBeamer_ALM_XXE.txt", "refsource": "MISC", "url": "https://compass-security.com/fileadmin/Research/Advisories/2020-09_CSNC-2020-008_Intland_codeBeamer_ALM_XXE.txt"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-26513", "datePublished": "2020-12-07T15:26:25", "dateReserved": "2020-10-02T00:00:00", "dateUpdated": "2020-12-07T15:26:25", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:intland:codebeamer:*:*:*:*:*:*:*:*", "matchCriteriaId": "3F3BE8BD-0868-4A50-BF06-BAE474BF5328", "versionEndExcluding": "10.1.0", "versionStartIncluding": "10.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:intland:codebeamer:10.1.0:-:*:*:*:*:*:*", "matchCriteriaId": "A0128D1A-DA5B-49EE-ABC2-DA75EF2B5594", "vulnerable": true}, {"criteria": "cpe:2.3:a:intland:codebeamer:10.1.0:sp1:*:*:*:*:*:*", "matchCriteriaId": "35461BDC-7A06-49AE-A528-DB6A986C9F14", "vulnerable": true}, {"criteria": "cpe:2.3:a:intland:codebeamer:10.1.0:sp2:*:*:*:*:*:*", "matchCriteriaId": "B32DF425-549F-4BEC-A7B6-F66CE063C878", "vulnerable": true}, {"criteria": "cpe:2.3:a:intland:codebeamer:10.1.0:sp3:*:*:*:*:*:*", "matchCriteriaId": "8166F01E-B271-4491-B932-00BF843D2146", "vulnerable": true}, {"criteria": "cpe:2.3:a:intland:codebeamer:10.1.0:sp4:*:*:*:*:*:*", "matchCriteriaId": "504110BC-FC0C-4A3F-824C-5BF4C573A792", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Intland codeBeamer ALM 10.x through 10.1.SP4. The ReqIF XML data, used by the codebeamer ALM application to import projects, is parsed by insecurely configured software components, which can be abused for XML External Entity Attacks."}, {"lang": "es", "value": "Se detect\u00f3 un problema en Intland codeBeamer ALM versiones 10.xa 10.1.SP4. Los datos XML de ReqIF, usados por la aplicaci\u00f3n codebeamer ALM para importar proyectos, son analizados por componentes de software configurados de manera no segura, que pueden ser objeto de abuso para Ataques de tipo XML External Entity"}], "id": "CVE-2020-26513", "lastModified": "2023-10-18T19:04:17.487", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-12-07T16:15:12.153", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://compass-security.com/fileadmin/Research/Advisories/2020-09_CSNC-2020-008_Intland_codeBeamer_ALM_XXE.txt"}, {"source": "cve@mitre.org", "tags": ["Product", "Vendor Advisory"], "url": "https://intland.com/codebeamer/application-lifecycle-management/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-611"}], "source": "nvd@nist.gov", "type": "Primary"}]}