questions and answers concerning these vulnerabilities cve-2018-13822, cve-2018-13823, cve-2018-13824, cve-2018-13825, cve-2018-13826

Document ID : KB000115896
Last Modified Date : 26/09/2018
Show Technical Document Details
Introduction:
Questions and Answers concerning these vulnerabilities:-

CVE-2018-13822
CVE-2018-13823
CVE-2018-13824
CVE-2018-13825
CVE-2018-13826
 
Question:
Q1. The first vulnerability, CVE-2018-13822, has a medium risk rating and concerns an SSL password being stored in plain text, which can allow an attacker to access sensitive information. 

Q2. The second vulnerability, CVE-2018-13823, has a high risk rating and concerns an XML external entity vulnerability in the XOG functionality, which can allow a remote attacker to access sensitive information. 

Q3. The third vulnerability, CVE-2018-13824, has a high risk rating and concerns two parameters that fail to properly sanitize input, which can allow a remote attacker to execute SQL injection attacks. 

Q4. The fourth vulnerability, CVE-2018-13825, has a high risk rating and concerns improper input validation by the gridExcelExport functionality, which can allow a remote attacker to execute reflected cross-site scripting attacks. 

Q5. The fifth vulnerability, CVE-2018-13826, has a medium risk rating and concerns an XML external entity vulnerability in the XOG functionality, which can allow a remote attacker to conduct server side request forgery attacks. 
Environment:
CA PPM v13.1, v13.3, v14.2, v14.3, v14.4, v15.1
Answer:
A1. This is basically if you encrypt properties.xml for the passwords you can still see the SSL password. This is low risk since you can restrict the server access. 

A2. This triggers the server to connect to the attacker to retrieve dtd document. This can be used to force Server Side Request Forgery (which, for one, reveals true IP of the machine if it is behind a load balancer - this can actually lead to the other vulnerability - remote command execution). This is high risk and we don’t have any fix unless we upgrade 

A3. This is SQL injection where an attacker can craft the vector and inject the SQL 

A4. This is again sort of cross side scripting where you can again inject the vector on export to excel action. 

A5. This triggers the server to connect to the attacker to retrieve dtd document. This can be used to force Server Side Request Forgery (which, for one, reveals true IP of the machine if it is behind a load balancer - this can actually lead to the other vulnerability - remote command execution). This is high risk and we don’t have any fix unless we upgrade