CVE-2015-3269: Cisco Nexus Dashboard Fabric Controller XML External Entity Processing Information Disclosure Vulnerability
First published: Tue Aug 25 2015(Updated: )
Apache Flex BlazeDS, as used in flex-messaging-core.jar in Adobe LiveCycle Data Services (LCDS) 3.0.x before 3.0.0.354170, 4.5 before 4.5.1.354169, 4.6.2 before 4.6.2.354169, and 4.7 before 4.7.0.354169 and other products, allows remote attackers to read arbitrary files via an AMF message containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| HP Business Service Management | <=9.26 | |
| Adobe LiveCycle Data Services | =3.0 | |
| Adobe LiveCycle Data Services | =4.5 | |
| Adobe LiveCycle Data Services | =4.6 | |
| Adobe LiveCycle Data Services | =4.7 | |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://marc.info/?l=bugtraq&m=145706712500978&w=2
- http://www.securityfocus.com/archive/1/536266/100/0/threaded
- http://www.securityfocus.com/bid/76394
- http://www.securitytracker.com/id/1033337
- http://www.vmware.com/security/advisories/VMSA-2015-0008.html
- https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05026202
- https://helpx.adobe.com/content/help/en/security/products/coldfusion/apsb15-21.html
- https://helpx.adobe.com/security/products/livecycleds/apsb15-20.html
- https://www.zerodayinitiative.com/advisories/ZDI-22-508/
Frequently Asked Questions
What is the severity of CVE-2015-3269?
CVE-2015-3269 is classified as a high severity vulnerability allowing remote attackers to read arbitrary files.
How do I fix CVE-2015-3269?
To mitigate CVE-2015-3269, update Adobe LiveCycle Data Services to the latest patched version.
Which versions of Adobe LiveCycle Data Services are affected by CVE-2015-3269?
Adobe LiveCycle Data Services versions 3.0.x before 3.0.0.354170, 4.5 before 4.5.1.354169, 4.6.2 before 4.6.2.354169, and 4.7 before 4.7.0.354169 are affected by CVE-2015-3269.
Can CVE-2015-3269 affect other products besides Adobe LiveCycle Data Services?
Yes, CVE-2015-3269 can also affect HP Business Service Management and Cisco Nexus Dashboard Fabric Controller.
What type of attack does CVE-2015-3269 enable?
CVE-2015-3269 enables remote attackers to exploit the vulnerability and gain unauthorized access to sensitive files.
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/remedy
- agent/last-modified-date
- agent/author
- agent/title
- agent/references
- agent/severity
- agent/weakness
- agent/description
- agent/first-publish-date
- agent/softwarecombine
- collector/zdi-advisory
- source/ZDI
- alias/ZDI-22-508
- alias/ZDI-CAN-15192
- alias/CVE-2015-3269
- agent/software-canonical-lookup
- agent/event
- agent/trending
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/cisco
- canonical/cisco nexus dashboard fabric controller
- vendor/hp
- canonical/hp business service management
- version/hp business service management/9.26
- vendor/adobe
- canonical/adobe livecycle data services
- version/adobe livecycle data services/3.0
- version/adobe livecycle data services/4.5
- version/adobe livecycle data services/4.6
- version/adobe livecycle data services/4.7