CVE-2014-0854 - Vulnerability Details - OpenCVE

The server in IBM Cognos Business Intelligence (BI) 8.4.1, 10.1 before IF6, 10.1.1 before IF5, 10.2 before IF7, 10.2.1 before IF4, and 10.2.1.1 before IF4 allows remote authenticated users to read arbitrary files via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Ibm	Cognos Business Intelligence

Configuration 1 [-]

OR	cpe:2.3:a:ibm:cognos_business_intelligence:8.4.1:::::::*
	cpe:2.3:a:ibm:cognos_business_intelligence:10.1:::::::*
	cpe:2.3:a:ibm:cognos_business_intelligence:10.1.1:::::::*
	cpe:2.3:a:ibm:cognos_business_intelligence:10.2:::::::*
	cpe:2.3:a:ibm:cognos_business_intelligence:10.2.1:::::::*
	cpe:2.3:a:ibm:cognos_business_intelligence:10.2.1.1:::::::*

No data.

References

Link	Providers
http://www-01.ibm.com/support/docview.wss?uid=swg21662856
https://exchange.xforce.ibmcloud.com/vulnerabilities/90794

History

No history.

MITRE

Status: PUBLISHED

Assigner: ibm

Published: 2014-02-22T21:00:00

Updated: 2024-08-06T09:27:20.225Z

Reserved: 2014-01-06T00:00:00

Link: CVE-2014-0854

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2014-02-22T21:55:09.860

Modified: 2025-04-11T00:51:21.963

Link: CVE-2014-0854

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2014-02-20T00:00:00", "descriptions": [{"lang": "en", "value": "The server in IBM Cognos Business Intelligence (BI) 8.4.1, 10.1 before IF6, 10.1.1 before IF5, 10.2 before IF7, 10.2.1 before IF4, and 10.2.1.1 before IF4 allows remote authenticated users to read arbitrary files via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-08-28T12:57:01", "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm"}, "references": [{"name": "ibm-cognos-cve20140854-xxe(90794)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90794"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21662856"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@us.ibm.com", "ID": "CVE-2014-0854", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The server in IBM Cognos Business Intelligence (BI) 8.4.1, 10.1 before IF6, 10.1.1 before IF5, 10.2 before IF7, 10.2.1 before IF4, and 10.2.1.1 before IF4 allows remote authenticated users to read arbitrary files via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "ibm-cognos-cve20140854-xxe(90794)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90794"}, {"name": "http://www-01.ibm.com/support/docview.wss?uid=swg21662856", "refsource": "CONFIRM", "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21662856"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T09:27:20.225Z"}, "title": "CVE Program Container", "references": [{"name": "ibm-cognos-cve20140854-xxe(90794)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90794"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21662856"}]}]}, "cveMetadata": {"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "assignerShortName": "ibm", "cveId": "CVE-2014-0854", "datePublished": "2014-02-22T21:00:00", "dateReserved": "2014-01-06T00:00:00", "dateUpdated": "2024-08-06T09:27:20.225Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ibm:cognos_business_intelligence:8.4.1:*:*:*:*:*:*:*", "matchCriteriaId": "2B76A06D-761D-4CFE-A9E6-FC5A1F726CF5", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:cognos_business_intelligence:10.1:*:*:*:*:*:*:*", "matchCriteriaId": "519B7097-7E46-4520-B9F9-A85E13A0F9CE", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:cognos_business_intelligence:10.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "B00BAD84-4BB6-41ED-835E-86AB150716D9", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:cognos_business_intelligence:10.2:*:*:*:*:*:*:*", "matchCriteriaId": "6588FEE1-5A6F-4ED6-998A-B8CF54954F5D", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:cognos_business_intelligence:10.2.1:*:*:*:*:*:*:*", "matchCriteriaId": "FDA8132D-A09E-4D4C-9A5D-D708010CCFFD", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:cognos_business_intelligence:10.2.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "7CCBB0AE-ECD1-4192-B1BB-18439A4CF7B9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The server in IBM Cognos Business Intelligence (BI) 8.4.1, 10.1 before IF6, 10.1.1 before IF5, 10.2 before IF7, 10.2.1 before IF4, and 10.2.1.1 before IF4 allows remote authenticated users to read arbitrary files via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue."}, {"lang": "es", "value": "El servidor en Cognos Business Intelligence (BI) de IBM versi\u00f3n 8.4.1, versi\u00f3n 10.1 anterior a IF6, versi\u00f3n 10.1.1 anterior a IF5, versi\u00f3n 10.2 anterior a IF7, versi\u00f3n 10.2.1 anterior a IF4, y versi\u00f3n 10.2.1.1 anterior a IF4, permite a los usuarios autenticados remotos leer archivos arbitrarios por medio de un documento XML que contiene una declaraci\u00f3n de entidad externa junto con una referencia de entidad, relacionada con un problema de tipo XML External Entity (XXE)."}], "id": "CVE-2014-0854", "lastModified": "2025-04-11T00:51:21.963", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2014-02-22T21:55:09.860", "references": [{"source": "psirt@us.ibm.com", "tags": ["Vendor Advisory"], "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21662856"}, {"source": "psirt@us.ibm.com", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90794"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21662856"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90794"}], "sourceIdentifier": "psirt@us.ibm.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-264"}], "source": "nvd@nist.gov", "type": "Primary"}]}