Sybase EAServer XML External Entity (XXE) Arbitrary File Disclosure

This script is Copyright (C) 2013-2016 Tenable Network Security, Inc.


Synopsis :

The remote Sybase install is affected by an arbitrary file disclosure
vulnerability.

Description :

The remote Sybase EAServer install is affected by an arbitrary file
disclosure vulnerability. It is possible to view any file on the system
by utilizing XML external entity injection in specially crafted XML data
sent to the REST service on the remote host.

Note that hosts that are affected by this vulnerability are potentially
affected by other vulnerabilities that Nessus has not tested for.

See also :

http://www.nessus.org/u?a6e04211
http://www.sybase.com/detail?id=1099353

Solution :

Apply the appropriate patch per the vendor's advisory.

Risk factor :

High / CVSS Base Score : 7.8
(CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N)
CVSS Temporal Score : 6.1
(CVSS2#E:POC/RL:OF/RC:C)
Public Exploit Available : true

Family: CGI abuses

Nessus Plugin ID: 69171 ()

Bugtraq ID: 60614
61358

CVE ID:

Ready to Scan Unlimited IPs & Run Compliance Checks?

Upgrade to Nessus Professional today!

Buy Now

Combine the Power of Nessus with the Ease of Cloud

Start your free Nessus Cloud trial now!

Begin Free Trial