A vulnerability, which was classified as critical, was found in CA Cloud Service Management up to 2013 (Cloud Software). Affected is an unknown code. The manipulation with an unknown input leads to a memory allocation vulnerability. CWE is classifying the issue as CWE-789. The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated. This is going to have an impact on confidentiality, integrity, and availability. CVE summarizes:

CA Cloud Service Management (CSM) before Summer 2014 allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

The weakness was shared 11/04/2014 (Website). The advisory is shared for download at ca.com. This vulnerability is traded as CVE-2014-8474 since 10/24/2014. The exploitability is told to be easy. It is possible to launch the attack remotely. The exploitation doesn't require any form of authentication. There are neither technical details nor an exploit publicly available.

Upgrading to version 2014 eliminates this vulnerability.

The vulnerability is also documented in the vulnerability database at X-Force (98537). The entries 72803, 72802 and 72801 are related to this item.

Productinfo

Type

• Cloud Software

Vendor

• CA

Name

• Cloud Service Management

Version

• 2013

License

• commercial

CPE 2.3info

• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion