CVE-2016-0319

Published on: 11/25/2016 12:00:00 AM UTC

Last Modified on: 03/23/2021 11:27:13 PM UTC

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Certain versions of Jazz Reporting Service from Ibm contain the following vulnerability:

The XML parser in Lifecycle Query Engine (LQE) in IBM Jazz Reporting Service 6.0 and 6.0.1 before 6.0.1 iFix006 allows remote authenticated administrators to read arbitrary files or cause a denial of service via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

  • CVE-2016-0319 has been assigned by [email protected] to track the vulnerability - currently rated as HIGH severity.

CVSS3 Score: 7.5 - HIGH

Attack
Vector
Attack
Complexity
Privileges
Required
User
Interaction
NETWORK LOW NONE NONE
Scope Confidentiality
Impact
Integrity
Impact
Availability
Impact
UNCHANGED NONE NONE HIGH

CVSS2 Score: 5 - MEDIUM

Access
Vector
Access
Complexity
Authentication
NETWORK LOW NONE
Confidentiality
Impact
Integrity
Impact
Availability
Impact
NONE NONE PARTIAL

CVE References

Description Tags Link
IBM Security Bulletin: Multiple security vulnerabilities affect the Lifecycle Query Engine (LQE) that is shipped with Jazz Reporting Service (CVE-2016-0316, CVE-2016-0317, CVE-2016-0318, CVE-2016-0319) - United States Patch
Vendor Advisory
www-01.ibm.com
text/html
URL Logo CONFIRM www-01.ibm.com/support/docview.wss?uid=swg21983137
IBM Jazz Reporting Service CVE-2016-0319 XML External Entity Information Disclosure Vulnerability Third Party Advisory
VDB Entry
cve.report (archive)
text/html
URL Logo BID 92475

Known Affected Configurations (CPE V2.3)

Type Vendor Product Version Update Edition Language
ApplicationIbmJazz Reporting Service6.0AllAllAll
ApplicationIbmJazz Reporting Service6.0.1AllAllAll
ApplicationIbmJazz Reporting Service6.0AllAllAll
ApplicationIbmJazz Reporting Service6.0.1AllAllAll
  • cpe:2.3:a:ibm:jazz_reporting_service:6.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:ibm:jazz_reporting_service:6.0.1:*:*:*:*:*:*:*:
  • cpe:2.3:a:ibm:jazz_reporting_service:6.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:ibm:jazz_reporting_service:6.0.1:*:*:*:*:*:*:*: