CVE-2019-3722 - Vulnerability Details - OpenCVE

Dell EMC OpenManage Server Administrator (OMSA) versions prior to 9.1.0.3 and prior to 9.2.0.4 contain an XML external entity (XXE) injection vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability to read arbitrary server system files by supplying specially crafted document type definitions (DTDs) in an XML request.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Dell	Emc Openmanage Server Administrator

Configuration 1 [-]

OR	cpe:2.3:a:dell:emc_openmanage_server_administrator:9.1:::::::*
	cpe:2.3:a:dell:emc_openmanage_server_administrator:9.1.0.1:::::::*
	cpe:2.3:a:dell:emc_openmanage_server_administrator:9.1.0.2:::::::*
	cpe:2.3:a:dell:emc_openmanage_server_administrator:9.2:::::::*
	cpe:2.3:a:dell:emc_openmanage_server_administrator:9.2.0.1:::::::*
	cpe:2.3:a:dell:emc_openmanage_server_administrator:9.2.0.2:::::::*

No data.

References

Link	Providers
http://www.securityfocus.com/bid/108685
https://www.dell.com/support/article/us/en/04/sln317441/dsa-2019-074-dell-emc-openmanage-server-administrator-multiple-vulnerabilities?lang=en

History

Mon, 16 Sep 2024 17:30:00 +0000

Type	Values Removed	Values Added
Title	XML External Entity (XXE) Injection Vulnerability	XML External Entity (XXE) Injection Vulnerability

MITRE

Status: PUBLISHED

Assigner: dell

Published: 2019-06-06T19:13:51.076423Z

Updated: 2024-09-16T17:22:35.591Z

Reserved: 2019-01-03T00:00:00

Link: CVE-2019-3722

Vulnrichment

No data.

NVD

Status : Modified

Published: 2019-06-06T19:29:00.703

Modified: 2024-11-21T04:42:24.300

Link: CVE-2019-3722

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "OpenManage Server Administrator", "vendor": "Dell EMC", "versions": [{"lessThan": "9.1.0.3", "status": "affected", "version": "9.1.0.3", "versionType": "custom"}, {"lessThan": "9.3.0.4", "status": "affected", "version": "9.3.0.4", "versionType": "custom"}]}], "datePublic": "2019-06-03T00:00:00", "descriptions": [{"lang": "en", "value": "Dell EMC OpenManage Server Administrator (OMSA) versions prior to 9.1.0.3 and prior to 9.2.0.4 contain an XML external entity (XXE) injection vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability to read arbitrary server system files by supplying specially crafted document type definitions (DTDs) in an XML request."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"description": "XML External Entity (XXE) Injection Vulnerability", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-06-10T06:06:05", "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "shortName": "dell"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.dell.com/support/article/us/en/04/sln317441/dsa-2019-074-dell-emc-openmanage-server-administrator-multiple-vulnerabilities?lang=en"}, {"name": "108685", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/108685"}], "source": {"discovery": "UNKNOWN"}, "title": "XML External Entity (XXE) Injection Vulnerability", "x_generator": {"engine": "Vulnogram 0.0.7"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security_alert@emc.com", "DATE_PUBLIC": "2019-06-03T17:00:00.000Z", "ID": "CVE-2019-3722", "STATE": "PUBLIC", "TITLE": "XML External Entity (XXE) Injection Vulnerability"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "OpenManage Server Administrator", "version": {"version_data": [{"version_affected": "<", "version_name": "9.1.0.3", "version_value": "9.1.0.3"}, {"version_affected": "<", "version_name": "9.3.0.4", "version_value": "9.3.0.4"}]}}]}, "vendor_name": "Dell EMC"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Dell EMC OpenManage Server Administrator (OMSA) versions prior to 9.1.0.3 and prior to 9.2.0.4 contain an XML external entity (XXE) injection vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability to read arbitrary server system files by supplying specially crafted document type definitions (DTDs) in an XML request."}]}, "generator": {"engine": "Vulnogram 0.0.7"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "XML External Entity (XXE) Injection Vulnerability"}]}]}, "references": {"reference_data": [{"name": "https://www.dell.com/support/article/us/en/04/sln317441/dsa-2019-074-dell-emc-openmanage-server-administrator-multiple-vulnerabilities?lang=en", "refsource": "CONFIRM", "url": "https://www.dell.com/support/article/us/en/04/sln317441/dsa-2019-074-dell-emc-openmanage-server-administrator-multiple-vulnerabilities?lang=en"}, {"name": "108685", "refsource": "BID", "url": "http://www.securityfocus.com/bid/108685"}]}, "source": {"discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T19:19:18.254Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.dell.com/support/article/us/en/04/sln317441/dsa-2019-074-dell-emc-openmanage-server-administrator-multiple-vulnerabilities?lang=en"}, {"name": "108685", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/108685"}]}]}, "cveMetadata": {"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "assignerShortName": "dell", "cveId": "CVE-2019-3722", "datePublished": "2019-06-06T19:13:51.076423Z", "dateReserved": "2019-01-03T00:00:00", "dateUpdated": "2024-09-16T17:22:35.591Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dell:emc_openmanage_server_administrator:9.1:*:*:*:*:*:*:*", "matchCriteriaId": "27A15630-3C36-4160-99E2-76B8B29EC6E3", "vulnerable": true}, {"criteria": "cpe:2.3:a:dell:emc_openmanage_server_administrator:9.1.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "F0464BDE-2461-4ECB-BA4E-4E92A80F6808", "vulnerable": true}, {"criteria": "cpe:2.3:a:dell:emc_openmanage_server_administrator:9.1.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "C76D0E62-E7CB-43DE-90B4-FF92D4AFC9DE", "vulnerable": true}, {"criteria": "cpe:2.3:a:dell:emc_openmanage_server_administrator:9.2:*:*:*:*:*:*:*", "matchCriteriaId": "C3463683-F756-4581-A39C-24AA74982242", "vulnerable": true}, {"criteria": "cpe:2.3:a:dell:emc_openmanage_server_administrator:9.2.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "729D5479-F7ED-48DF-A206-62A2EAFFCF43", "vulnerable": true}, {"criteria": "cpe:2.3:a:dell:emc_openmanage_server_administrator:9.2.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "0C66F3E6-465A-4465-A686-0698E81062ED", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Dell EMC OpenManage Server Administrator (OMSA) versions prior to 9.1.0.3 and prior to 9.2.0.4 contain an XML external entity (XXE) injection vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability to read arbitrary server system files by supplying specially crafted document type definitions (DTDs) in an XML request."}, {"lang": "es", "value": "Las versiones de Dell EMC OpenManage Server Administrator (OMSA) anteriores a 9.1.0.3 y anteriores a 9.2.0.4 contienen una vulnerabilidad de inyecci\u00f3n de entidad externa XML (XXE). Un atacante remoto no identificado podr\u00eda potencialmente aprovechar esta vulnerabilidad para leer archivos arbitrarios del sistema del servidor al proporcionar definiciones de tipo de documento especialmente dise\u00f1adas (DTD) en una solicitud XML."}], "id": "CVE-2019-3722", "lastModified": "2024-11-21T04:42:24.300", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security_alert@emc.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-06-06T19:29:00.703", "references": [{"source": "security_alert@emc.com", "tags": ["Third Party Advisory"], "url": "http://www.securityfocus.com/bid/108685"}, {"source": "security_alert@emc.com", "tags": ["Vendor Advisory"], "url": "https://www.dell.com/support/article/us/en/04/sln317441/dsa-2019-074-dell-emc-openmanage-server-administrator-multiple-vulnerabilities?lang=en"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://www.securityfocus.com/bid/108685"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.dell.com/support/article/us/en/04/sln317441/dsa-2019-074-dell-emc-openmanage-server-administrator-multiple-vulnerabilities?lang=en"}], "sourceIdentifier": "security_alert@emc.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-611"}], "source": "nvd@nist.gov", "type": "Primary"}]}