CVE-2014-0644

Name of the Vulnerable Software and Affected Versions EMC Cloud Tiering Appliance (CTA) versions 10 through SP1

Description The issue allows remote attackers to read arbitrary files via an "api/login" request containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. This can be demonstrated by reading the /etc/shadow file.

Recommendations For versions 10 through SP1, as a temporary workaround, consider restricting access to the "api/login" endpoint until a patch is available. Avoid using XML external entity declarations in conjunction with entity references in the api/login request until the issue is resolved.