IBM SPSS Modeler 14.0, 14.1, 14.2 through FP3, and 15.0 before FP2 allows remote attackers to read arbitrary files, and possibly send HTTP requests to intranet servers or cause a denial of service (CPU and memory consumption), via an XML external entity declaration in conjunction with an entity reference.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Spss_modeler | Ibm | 14.0.0.0 (including) | 14.0.0.0 (including) |
| Spss_modeler | Ibm | 14.0.0.1 (including) | 14.0.0.1 (including) |
| Spss_modeler | Ibm | 14.0.0.2 (including) | 14.0.0.2 (including) |
| Spss_modeler | Ibm | 14.1.0.0 (including) | 14.1.0.0 (including) |
| Spss_modeler | Ibm | 14.1.0.1 (including) | 14.1.0.1 (including) |
| Spss_modeler | Ibm | 14.1.0.2 (including) | 14.1.0.2 (including) |
| Spss_modeler | Ibm | 14.2.0.0 (including) | 14.2.0.0 (including) |
| Spss_modeler | Ibm | 14.2.0.1 (including) | 14.2.0.1 (including) |
| Spss_modeler | Ibm | 14.2.0.2 (including) | 14.2.0.2 (including) |
| Spss_modeler | Ibm | 14.2.0.3 (including) | 14.2.0.3 (including) |
| Spss_modeler | Ibm | 15.0.0.0 (including) | 15.0.0.0 (including) |
| Spss_modeler | Ibm | 15.0.0.1 (including) | 15.0.0.1 (including) |
References
- http://www-01.ibm.com/support/docview.wss?uid=swg1PM79454
- http://www-01.ibm.com/support/docview.wss?uid=swg21620758
- http://www-01.ibm.com/support/docview.wss?uid=swg24034122
- https://exchange.xforce.ibmcloud.com/vulnerabilities/80316
- http://www-01.ibm.com/support/docview.wss?uid=swg1PM79454
- http://www-01.ibm.com/support/docview.wss?uid=swg21620758
- http://www-01.ibm.com/support/docview.wss?uid=swg24034122
- https://exchange.xforce.ibmcloud.com/vulnerabilities/80316