Detections
Analytics
EMC Cloud Tiering Appliance XML External Entity (XXE) Arbitrary File Disclosure
high Nessus Plugin ID 73373
Language:
Synopsis
The remote EMC CTA install is affected by an arbitrary file disclosure vulnerability.Description
The remote EMC Cloud Tiering Appliance (CTA) install is affected by an arbitrary file disclosure vulnerability. It is possible to view any file on the system by utilizing XML external entity injection in specially crafted XML data sent to the REST service on the remote host.Note that hosts that are affected by this vulnerability are potentially affected by other vulnerabilities though Nessus has not tested for any additional vulnerabilities.
Solution
Apply Hot Fix for ESA-2014-028 per the vendor's advisory.See Also
https://seclists.org/fulldisclosure/2014/Mar/426
https://seclists.org/bugtraq/2014/Apr/att-93/ESA-2014-028.txt
Plugin Details
Severity: High
ID: 73373
File Name: emc_cta_xxe.nasl
Version: 1.11
Type: remote
Family: CGI abuses
Published: 4/7/2014
Updated: 1/19/2021
Supported Sensors: Nessus
Risk Information
VPR
Risk Factor: Medium
Score: 4.4
CVSS v2
Risk Factor: High
Base Score: 7.8
Temporal Score: 6.1
Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N
CVSS Score Source: CVE-2014-0644
Vulnerability Information
CPE: cpe:/h:emc:cloud_tiering_appliance, cpe:/a:emc:cloud_tiering_appliance_virtual_edition
Required KB Items: www/emc_cta_ui
Exploit Available: true
Exploit Ease: Exploits are available
Exploited by Nessus: true
Vulnerability Publication Date: 3/31/2014
Reference Information
CVE: CVE-2014-0644
BID: 66547