A vulnerability classified as critical was found in HCL AppScan Source up to 9.03.12. Affected by this vulnerability is an unknown function of the component XML Data Handler. The manipulation with an unknown input leads to a xml external entity reference vulnerability. The CWE definition for the vulnerability is CWE-611. The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. As an impact it is known to affect confidentiality, integrity, and availability. The summary by CVE is:

HCL AppScan Source before 9.03.13 is susceptible to XML External Entity (XXE) attacks in multiple locations. In particular, an attacker can send a specially crafted .ozasmt file to a targeted victim and ask the victim to open it. When the victim imports the .ozasmt file in AppScan Source, the content of any file in the local file system (to which the victim as read access) can be exfiltrated to a remote listener under the attacker's control. The product does not disable external XML Entity Processing, which can lead to information disclosure and denial of services attacks.

The weakness was shared 09/25/2019 (Website). It is possible to read the advisory at hclpnpsupport.hcltech.com. This vulnerability is known as CVE-2019-16188 since 09/09/2019. The attack can be launched remotely. The exploitation doesn't need any form of authentication. The technical details are unknown and an exploit is not publicly available.

Upgrading to version 9.03.13 eliminates this vulnerability.

Productinfo

Vendor

• HCL

Name

• AppScan Source

Version

• 9.03.0
• 9.03.1
• 9.03.2
• 9.03.3
• 9.03.4
• 9.03.5
• 9.03.6
• 9.03.7
• 9.03.8
• 9.03.9
• 9.03.10
• 9.03.11
• 9.03.12

License

• commercial

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion