{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2015-05-11T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "XML external entity (XXE) in the RPC interface in Spacewalk and Red Hat Network (RHN) Satellite 5.7 and earlier allows remote attackers to read arbitrary files and possibly have other unspecified impact via unknown vectors."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2016-11-25T19:57:01.000Z", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "74595", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/74595"}, {"name": "RHSA-2015:0957", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0957.html"}, {"name": "SUSE-SU-2015:0928", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00020.html"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T13:10:50.969Z"}, "title": "CVE Program Container", "references": [{"name": "74595", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/74595"}, {"name": "RHSA-2015:0957", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0957.html"}, {"name": "SUSE-SU-2015:0928", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00020.html"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2014-8162", "datePublished": "2015-05-14T14:00:00.000Z", "dateReserved": "2014-10-10T00:00:00.000Z", "dateUpdated": "2024-08-06T13:10:50.969Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:network_satellite:*:*:*:*:*:*:*:*", "matchCriteriaId": "B71437EE-3D2B-480F-85E9-F0DED473D585", "versionEndIncluding": "5.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:suse:manager:1.7:*:*:*:*:*:*:*", "matchCriteriaId": "2C9E2D37-9F56-49E0-BB28-56FB755CE078", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "XML external entity (XXE) in the RPC interface in Spacewalk and Red Hat Network (RHN) Satellite 5.7 and earlier allows remote attackers to read arbitrary files and possibly have other unspecified impact via unknown vectors."}, {"lang": "es", "value": "Vulnerabilidad de entidad externa XML (XXE) en la interfaz RPC en Spacewalk y Red Hat Network (RHN) Satellite 5.7 y anteriores permite a atacantes remotos leer archivos arbitrarios y posiblemente tener otro impacto no especificado a trav\u00e9s de vectores desconocidos."}], "evaluatorComment": "<a href=\"http://cwe.mitre.org/data/definitions/611.html\">CWE-611: Improper Restriction of XML External Entity Reference ('XXE')</a>", "id": "CVE-2014-8162", "lastModified": "2025-04-12T10:46:40.837", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2015-05-14T14:59:05.653", "references": [{"source": "secalert@redhat.com", "url": "http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00020.html"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0957.html"}, {"source": "secalert@redhat.com", "url": "http://www.securityfocus.com/bid/74595"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00020.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0957.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/74595"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Travis Emmert for reporting this issue.", "affected_release": [{"advisory": "RHSA-2015:0957", "cpe": "cpe:/a:redhat:network_satellite:5.7::el6", "package": "spacewalk-java-0:2.3.8-103.el6sat", "product_name": "Red Hat Satellite 5.7", "release_date": "2015-05-11T00:00:00Z"}, {"advisory": "RHSA-2015:0957", "cpe": "cpe:/a:redhat:network_satellite:5.7::el6", "package": "spacewalk-setup-0:2.3.0-17.el6sat", "product_name": "Red Hat Satellite 5.7", "release_date": "2015-05-11T00:00:00Z"}], "bugzilla": {"description": "Satellite5: RPC API XML External Entities file disclosure", "id": "1187339", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1187339"}, "csaw": false, "cvss": {"cvss_base_score": "4.3", "cvss_scoring_vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "status": "verified"}, "cwe": "CWE-611", "details": ["XML external entity (XXE) in the RPC interface in Spacewalk and Red Hat Network (RHN) Satellite 5.7 and earlier allows remote attackers to read arbitrary files and possibly have other unspecified impact via unknown vectors.", "It was found that the RPC interface in Satellite would resolve external entities, allowing an attacker to conduct XML External Entity (XXE) attacks. A remote attacker could use this flaw to read files accessible to the user running the Satellite server, and potentially perform other more advanced XXE attacks."], "name": "CVE-2014-8162", "public_date": "2015-05-11T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2014-8162\nhttps://nvd.nist.gov/vuln/detail/CVE-2014-8162"], "threat_severity": "Moderate"}