{"api_version":"1","generated_at":"2026-04-23T07:55:34+00:00","cve":"CVE-2014-3573","urls":{"html":"https://cve.report/CVE-2014-3573","api":"https://cve.report/api/cve/CVE-2014-3573.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2014-3573","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2014-3573"},"summary":{"title":"CVE-2014-3573","description":"The oVirt Engine backend module, as used in Red Hat Enterprise Virtualization Manager before 3.4.2, uses an \"insecure DocumentBuilderFactory,\" which allows remote attackers to read arbitrary files or possibly have other unspecified impact via a crafted XML/RSDL document, related to an XML External Entity (XXE) issue.","state":"PUBLIC","assigner":"secalert@redhat.com","published_at":"2014-10-18 00:55:00","updated_at":"2023-02-13 00:40:00"},"problem_types":["CWE-20"],"metrics":[],"references":[{"url":"https://access.redhat.com/errata/RHSA-2014:1161","name":"https://access.redhat.com/errata/RHSA-2014:1161","refsource":"MISC","tags":[],"title":"Red Hat Customer Portal","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1125795","name":"https://bugzilla.redhat.com/show_bug.cgi?id=1125795","refsource":"MISC","tags":[],"title":"1125795 – (CVE-2014-3573) CVE-2014-3573 oVirt Engine: XML eXternal Entity (XXE) flaw in backend module","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securitytracker.com/id/1030807","name":"1030807","refsource":"SECTRACK","tags":[],"title":"Red Hat Enterprise Virtualization Manager XXE Bug Lets Remote Authenticated Users Obtain Files on the Target System - SecurityTracker","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://access.redhat.com/security/cve/CVE-2014-3573","name":"https://access.redhat.com/security/cve/CVE-2014-3573","refsource":"MISC","tags":[],"title":"CVE-2014-3573 - Red Hat Customer Portal","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://rhn.redhat.com/errata/RHSA-2014-1161.html","name":"RHSA-2014:1161","refsource":"REDHAT","tags":["Vendor Advisory"],"title":"Red Hat Customer Portal","mime":"text/html","httpstatus":"-1","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2014-3573","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2014-3573","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2014","cve_id":"3573","vulnerable":"1","versionEndIncluding":"3.4.1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"enterprise_virtualization_manager","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"data_version":"4.0","data_type":"CVE","data_format":"MITRE","CVE_data_meta":{"ID":"CVE-2014-3573","ASSIGNER":"secalert@redhat.com","STATE":"PUBLIC"},"description":{"description_data":[{"lang":"eng","value":"The oVirt Engine backend module, as used in Red Hat Enterprise Virtualization Manager before 3.4.2, uses an \"insecure DocumentBuilderFactory,\" which allows remote attackers to read arbitrary files or possibly have other unspecified impact via a crafted XML/RSDL document, related to an XML External Entity (XXE) issue."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"affects":{"vendor":{"vendor_data":[{"vendor_name":"n/a","product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_affected":"=","version_value":"n/a"}]}}]}}]}},"references":{"reference_data":[{"url":"http://rhn.redhat.com/errata/RHSA-2014-1161.html","refsource":"MISC","name":"http://rhn.redhat.com/errata/RHSA-2014-1161.html"},{"url":"http://www.securitytracker.com/id/1030807","refsource":"MISC","name":"http://www.securitytracker.com/id/1030807"}]}},"nvd":{"publishedDate":"2014-10-18 00:55:00","lastModifiedDate":"2023-02-13 00:40:00","problem_types":["CWE-20"],"metrics":{"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:P/I:P/A:P","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":6.5},"severity":"MEDIUM","exploitabilityScore":8,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:redhat:enterprise_virtualization_manager:*:*:*:*:*:*:*:*","versionEndIncluding":"3.4.1","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2014","CveId":"3573","Ordinal":"70526","Title":"CVE-2014-3573","CVE":"CVE-2014-3573","Year":"2014"},"notes":[{"CveYear":"2014","CveId":"3573","Ordinal":"1","NoteData":"The oVirt Engine backend module, as used in Red Hat Enterprise Virtualization Manager before 3.4.2, uses an \"insecure DocumentBuilderFactory,\" which allows remote attackers to read arbitrary files or possibly have other unspecified impact via a crafted XML/RSDL document, related to an XML External Entity (XXE) issue.","Type":"Description","Title":null},{"CveYear":"2014","CveId":"3573","Ordinal":"2","NoteData":"2014-10-17","Type":"Other","Title":"Published"},{"CveYear":"2014","CveId":"3573","Ordinal":"3","NoteData":"2014-10-17","Type":"Other","Title":"Modified"}]}}}