CVE-2024-54171
Published: 06 February 2025
Description
IBM EntireX 11.1 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. An authenticated attacker could exploit this vulnerability to expose sensitive information or consume memory resources.
Security Summary
IBM EntireX 11.1 is vulnerable to CVE-2024-54171, an XML external entity (XXE) injection flaw classified under CWE-611. This vulnerability arises during the processing of XML data, enabling potential injection of external entities that could lead to unauthorized data access or resource exhaustion.
An authenticated attacker with low privileges (PR:L) can exploit this issue remotely over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Exploitation yields high confidentiality impact through sensitive information disclosure, alongside low availability impact via memory resource consumption, without affecting integrity or scope (S:U), as reflected in the CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L).
IBM has issued a security advisory at https://www.ibm.com/support/pages/node/7182693, published on 2025-02-06, which provides details on the vulnerability and recommended mitigation actions.
Details
- CWE(s)