CVE-2017-1666: XEE
First published: Tue Jan 09 2018(Updated: )
IBM Tivoli Key Lifecycle Manager 2.5, 2.6, and 2.7 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 133540.
Credit: psirt@us.ibm.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| IBM Security Key Lifecycle Manager | =2.5.0 | |
| IBM Security Key Lifecycle Manager | =2.5.0.1 | |
| IBM Security Key Lifecycle Manager | =2.5.0.2 | |
| IBM Security Key Lifecycle Manager | =2.5.0.3 | |
| IBM Security Key Lifecycle Manager | =2.5.0.4 | |
| IBM Security Key Lifecycle Manager | =2.5.0.5 | |
| IBM Security Key Lifecycle Manager | =2.5.0.6 | |
| IBM Security Key Lifecycle Manager | =2.5.0.7 | |
| IBM Security Key Lifecycle Manager | =2.5.0.8 | |
| IBM Security Key Lifecycle Manager | =2.6.0 | |
| IBM Security Key Lifecycle Manager | =2.6.0.1 | |
| IBM Security Key Lifecycle Manager | =2.6.0.2 | |
| IBM Security Key Lifecycle Manager | =2.6.0.3 | |
| IBM Security Key Lifecycle Manager | =2.7.0 | |
| IBM Security Key Lifecycle Manager | =2.7.0.1 | |
| IBM Security Key Lifecycle Manager | =2.7.0.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2017-1666?
CVE-2017-1666 is classified as a medium severity vulnerability due to its potential to expose sensitive information.
How do I fix CVE-2017-1666?
To fix CVE-2017-1666, upgrade IBM Tivoli Key Lifecycle Manager to the latest version that addresses this vulnerability.
What types of attacks does CVE-2017-1666 enable?
CVE-2017-1666 enables an XML External Entity Injection (XXE) attack which can lead to the exposure of sensitive information or resource exhaustion.
What versions of IBM Tivoli Key Lifecycle Manager are affected by CVE-2017-1666?
CVE-2017-1666 affects IBM Tivoli Key Lifecycle Manager versions 2.5, 2.6, and 2.7.
Can CVE-2017-1666 be exploited remotely?
Yes, CVE-2017-1666 can be exploited remotely by an attacker to execute an XXE attack.
- agent/type
- agent/softwarecombine
- agent/references
- agent/weakness
- agent/author
- agent/remedy
- agent/severity
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/ibm
- canonical/ibm security key lifecycle manager
- version/ibm security key lifecycle manager/2.5.0
- version/ibm security key lifecycle manager/2.5.0.1
- version/ibm security key lifecycle manager/2.5.0.2
- version/ibm security key lifecycle manager/2.5.0.3
- version/ibm security key lifecycle manager/2.5.0.4
- version/ibm security key lifecycle manager/2.5.0.5
- version/ibm security key lifecycle manager/2.5.0.6
- version/ibm security key lifecycle manager/2.5.0.7
- version/ibm security key lifecycle manager/2.5.0.8
- version/ibm security key lifecycle manager/2.6.0
- version/ibm security key lifecycle manager/2.6.0.1
- version/ibm security key lifecycle manager/2.6.0.2
- version/ibm security key lifecycle manager/2.6.0.3
- version/ibm security key lifecycle manager/2.7.0
- version/ibm security key lifecycle manager/2.7.0.1
- version/ibm security key lifecycle manager/2.7.0.2