CVE-2019-9488

Published: Sep 11, 2019Modified: Nov 21, 2024

4.9

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Exploitability: 1.2 / Impact: 3.6

Source: NVD

Description

Trend Micro Deep Security Manager (10.x, 11.x) and Vulnerability Protection (2.0) are vulnerable to a XML External Entity Attack. However, for the attack to be possible, the attacker must have root/admin access to a protected host which is authorized to communicate with the Deep Security Manager (DSM).

Affected (30)

Products: Trendmicro: Deep Security Manager, Vulnerability Protection

Trendmicro

2 products

Deep Security Manager

Vulnerability Protection

Configuration A

30 vulnerable

Vulnerable Software	Affected Versions
Trendmicro Deep Security Manager	Version 10.0
Trendmicro Deep Security Manager	Version 10.0 u10
Trendmicro Deep Security Manager	Version 10.0 u11
Trendmicro Deep Security Manager	Version 10.0 u12
Trendmicro Deep Security Manager	Version 10.0 u13
Trendmicro Deep Security Manager	Version 10.0 u14
Trendmicro Deep Security Manager	Version 10.0 u15
Trendmicro Deep Security Manager	Version 10.0 u16
Trendmicro Deep Security Manager	Version 10.0 u17
Trendmicro Deep Security Manager	Version 10.0 u18
Trendmicro Deep Security Manager	Version 10.0 u19
Trendmicro Deep Security Manager	Version 10.0 u1
Trendmicro Deep Security Manager	Version 10.0 u2
Trendmicro Deep Security Manager	Version 10.0 u3
Trendmicro Deep Security Manager	Version 10.0 u4
Trendmicro Deep Security Manager	Version 10.0 u5
Trendmicro Deep Security Manager	Version 10.0 u6
Trendmicro Deep Security Manager	Version 10.0 u7
Trendmicro Deep Security Manager	Version 10.0 u8
Trendmicro Deep Security Manager	Version 10.0 u9
Trendmicro Deep Security Manager	Version 11.0
Trendmicro Deep Security Manager	Version 11.0 u1
Trendmicro Deep Security Manager	Version 11.0 u2
Trendmicro Deep Security Manager	Version 11.0 u3
Trendmicro Deep Security Manager	Version 11.0 u4
Trendmicro Deep Security Manager	Version 11.0 u5
Trendmicro Deep Security Manager	Version 11.0 u6
Trendmicro Deep Security Manager	Version 11.0 u7
Trendmicro Deep Security Manager	Version 11.3
Trendmicro Vulnerability Protection	Version 2.0

Related CWEs

CWE-611

Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

References (2)

https://success.trendmicro.com/solution/1122900

Source: security@trendmicro.com

PatchVendor Advisory

https://success.trendmicro.com/solution/1122900

Source: af854a3a-2127-422b-91ae-364da2661108

PatchVendor Advisory

Timeline

No history available yet.