CVE-2014-0644

Published: Apr 17, 2014Modified: May 6, 2026

7.8

Vector

AV:N/AC:L/Au:N/C:C/I:N/A:N

Exploitability: 10.0 / Impact: 6.9

Source: NVD

Description

EMC Cloud Tiering Appliance (CTA) 10 through SP1 allows remote attackers to read arbitrary files via an api/login request containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, as demonstrated by reading the /etc/shadow file.

Affected (3)

Products: Emc: Cloud Tiering Appliance Software, Cloud Tiering Appliance

2 products

Cloud Tiering Appliance Software

Cloud Tiering Appliance

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Emc Cloud Tiering Appliance Software	Version 10.0
Emc Cloud Tiering Appliance Software	Version 10.0 sp1
Emc Cloud Tiering Appliance	All versions

Related CWEs

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References (6)

http://archives.neohapsis.com/archives/bugtraq/2014-04/0094.html

Source: security_alert@emc.com

http://seclists.org/fulldisclosure/2014/Mar/426

Source: security_alert@emc.com

https://gist.github.com/brandonprry/9895721

Source: security_alert@emc.com

http://archives.neohapsis.com/archives/bugtraq/2014-04/0094.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://seclists.org/fulldisclosure/2014/Mar/426

Source: af854a3a-2127-422b-91ae-364da2661108

https://gist.github.com/brandonprry/9895721

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.