CVE-2021-21517

Published: Mar 1, 2021Modified: Nov 21, 2024

7.2

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L

Exploitability: 3.9 / Impact: 2.7

Source: NVD

Description

SRS Policy Manager 6.X is affected by an XML External Entity Injection (XXE) vulnerability due to a misconfigured XML parser that processes user-supplied DTD input without sufficient validation. A remote unauthenticated attacker can potentially exploit this vulnerability to read system files as a non-root user and may be able to temporarily disrupt the ESRS service.

Affected (3)

Products: Dell: Emc Srs Policy Manager

1 product

Emc Srs Policy Manager

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Dell Emc Srs Policy Manager	Version 6.6
Dell Emc Srs Policy Manager	Version 6.8.3
Dell Emc Srs Policy Manager	Version 6.9.0

Related CWEs

Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

References (2)

https://www.dell.com/support/kbdoc/en-us/000183576/dsa-2021-045-dell-emc-srs-policy-manager-security-update-for-external-entity-injection-vulnerability

Source: security_alert@emc.com

Vendor Advisory

https://www.dell.com/support/kbdoc/en-us/000183576/dsa-2021-045-dell-emc-srs-policy-manager-security-update-for-external-entity-injection-vulnerability

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.