CVE-2014-6032

high

Description

Multiple XML External Entity (XXE) vulnerabilities in the Configuration utility in F5 BIG-IP LTM, ASM, GTM, and Link Controller 11.0 through 11.6.0 and 10.0.0 through 10.2.4, AAM 11.4.0 through 11.6.0, ARM 11.3.0 through 11.6.0, Analytics 11.0.0 through 11.6.0, APM and Edge Gateway 11.0.0 through 11.6.0 and 10.1.0 through 10.2.4, PEM 11.3.0 through 11.6.0, PSM 11.0.0 through 11.4.1 and 10.0.0 through 10.2.4, and WOM 11.0.0 through 11.3.0 and 10.0.0 through 10.2.4 and Enterprise Manager 3.0.0 through 3.1.1 and 2.1.0 through 2.3.0 allow remote authenticated users to read arbitrary files and cause a denial of service via a crafted request, as demonstrated using (1) viewList or (2) deal elements.

References

https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-6033/

https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-6032/

https://support.f5.com/kb/en-us/solutions/public/15000/600/sol15605.html

https://exchange.xforce.ibmcloud.com/vulnerabilities/98403

https://exchange.xforce.ibmcloud.com/vulnerabilities/98402

http://www.securitytracker.com/id/1031145

http://www.securitytracker.com/id/1031144

http://seclists.org/fulldisclosure/2014/Oct/130

http://seclists.org/fulldisclosure/2014/Oct/129

http://seclists.org/fulldisclosure/2014/Oct/128

Details

Source: Mitre, NVD

Published: 2014-11-01

Updated: 2017-09-08

Risk Information

CVSS v2

Base Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:P

Severity: Medium

CVSS v3

Base Score: 8.1

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Severity: High