NVD Vulnerability Detail

CVE-2019-14277

Summary	Axway SecureTransport 5.x through 5.3 (or 5.x through 5.5 with certain API configuration) is vulnerable to unauthenticated blind XML injection (and XXE) in the resetPassword functionality via the REST API. This vulnerability can lead to local file disclosure, DoS, or URI invocation attacks (i.e., SSRF with resultant remote code execution). NOTE: The vendor disputes this issues as not being a vulnerability because “All attacks that use external entities are blocked (no external DTD or file inclusions, no SSRF). The impact on confidentiality, integrity and availability is not proved on any version.
Publication Date	July 26, 2019, 1:15 p.m.
Registration Date	Jan. 26, 2021, 11:39 a.m.
Last Update	Nov. 21, 2024, 1:26 p.m.

Affected software configurations

Related information, measures and tools

No	URL	タグ
1	https://community.axway.com/s/article/SecureTransport-Security-Notice	Vendor Advisory
2	https://community.axway.com/s/article/SecureTransport-Security-Notice	Vendor Advisory
3	https://community.axway.com/s/article/SecureTransport-Security-Notice-re-CVE-2019-14277-Unauthenticated-XML-Injection-and-XXE	Vendor Advisory
4	https://community.axway.com/s/article/SecureTransport-Security-Notice-re-CVE-2019-14277-Unauthenticated-XML-Injection-and-XXE	Vendor Advisory
5	https://gist.githubusercontent.com/zeropwn/59f17727dfaba239b0ace6f33b752974/raw/9b6541a94ac5ec181a88e6c84cb3e3001025b8fd/Axway%2520SecureTransport%25205.x%2520Unauthenticated%2520XXE	Exploit Third Party Advisory
6	https://gist.githubusercontent.com/zeropwn/59f17727dfaba239b0ace6f33b752974/raw/9b6541a94ac5ec181a88e6c84cb3e3001025b8fd/Axway%2520SecureTransport%25205.x%2520Unauthenticated%2520XXE	Exploit Third Party Advisory
7	https://www.exploit-db.com/exploits/47150	Exploit Third Party Advisory VDB Entry
8	https://www.exploit-db.com/exploits/47150	Exploit Third Party Advisory VDB Entry
9	https://zero.lol/2019-07-21-axway-securetransport-xml-injection/	Exploit Third Party Advisory URL Repurposed
10	https://zero.lol/2019-07-21-axway-securetransport-xml-injection/	Exploit Third Party Advisory URL Repurposed

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-91	ブラインド XPath インジェクション	https://cwe.mitre.org/data/definitions/91.html

JVN Vulnerability Information

Axway SecureTransport における XML 外部エンティティの脆弱性

Title	Axway SecureTransport における XML 外部エンティティの脆弱性
Summary	Axway SecureTransport には、XML 外部エンティティの脆弱性が存在します。
Possible impacts	情報を取得される、情報を改ざんされる、およびサービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	July 20, 2019, midnight
Registration Date	Aug. 8, 2019, 4:55 p.m.
Last Update	Aug. 8, 2019, 4:55 p.m.

Affected System

Axway

SecureTransport

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2019-14277	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14277
National Vulnerability Database (NVD)
2	CVE-2019-14277	https://nvd.nist.gov/vuln/detail/CVE-2019-14277

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-611	https://cwe.mitre.org/data/definitions/611.html

ベンダー情報

No	Name	URL
Axway
1	SecureTransport 5.4 Administrator Guide	https://docs.axway.com/bundle/SecureTransport_54_AdministratorGuide_allOS_en_HTML5/page/Content/AdministratorsGuide/overview/overview.htm

その他

No	Name	URL
関連文書
1	Axway SecureTransport 5 - Unauthenticated XML Injection	https://www.exploit-db.com/exploits/47150

Change Log

No	Changed Details	Date of change
1	[2019年08月08日] 掲載	Aug. 8, 2019, 4:55 p.m.