CVE-2014-3087

callService.do in IBM Business Process Manager (BPM) 7.5 through 8.5.5 and WebSphere Lombardi Edition 7.2 through 7.2.0.5 allows remote authenticated users to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

Published: Aug 18, 2014
Updated: Apr 13, 2023
CVE: CVE-2014-3087
Severity: Low
Exploit:

CVSS v2:

Severity: Low
Score: 4
AV:N/AC:L/Au:S/C:P/I:N/A:N

CWEs:

CWE-200

Affected Software
References

Software	From	Fixed in
ibm / websphere_application_server	7.2	7.2.x
ibm / business_process_manager	8.5.0.0	8.5.0.0.x
ibm / business_process_manager	7.5.0.0	7.5.0.0.x
ibm / business_process_manager	8.0.1.0	8.0.1.0.x
ibm / business_process_manager	8.0.1.1	8.0.1.1.x
ibm / business_process_manager	8.5.5.0	8.5.5.0.x
ibm / business_process_manager	7.5.1.2	7.5.1.2.x
ibm / business_process_manager	7.5.1.1	7.5.1.1.x
ibm / business_process_manager	8.5.0.1	8.5.0.1.x
ibm / business_process_manager	7.5.1.0	7.5.1.0.x
ibm / business_process_manager	8.0.0.0	8.0.0.0.x
ibm / business_process_manager	8.0.1.2	8.0.1.2.x
ibm / business_process_manager	7.5.0.1	7.5.0.1.x

Vulnerability Database

290,278

CVE-2014-3087