A vulnerability classified as critical was found in Dell EMC OpenManage Server Administrator up to 9.1.0.2/9.2.0.3. Affected by this vulnerability is some unknown processing of the component XML Data Handler. The manipulation as part of a XML Request leads to a xml external entity reference vulnerability. The CWE definition for the vulnerability is CWE-611. The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. As an impact it is known to affect confidentiality, integrity, and availability. The summary by CVE is:

Dell EMC OpenManage Server Administrator (OMSA) versions prior to 9.1.0.3 and prior to 9.2.0.4 contain an XML external entity (XXE) injection vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability to read arbitrary server system files by supplying specially crafted document type definitions (DTDs) in an XML request.

The weakness was published 06/06/2019 (Website). It is possible to read the advisory at dell.com. This vulnerability is known as CVE-2019-3722 since 01/03/2019. The exploitation appears to be easy. The attack can be launched remotely. The exploitation doesn't need any form of authentication. The technical details are unknown and an exploit is not publicly available.

Upgrading to version 9.1.0.3 or 9.2.0.4 eliminates this vulnerability.

Similar entry is available at VDB-136136. Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Productinfo

Vendor

• Dell EMC

Name

• OpenManage Server Administrator

Version

• 9.1.0.0
• 9.1.0.1
• 9.1.0.2
• 9.2.0.0
• 9.2.0.1
• 9.2.0.2
• 9.2.0.3

License

• commercial

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion