CVE-2014-6212

Name of the Vulnerable Software and Affected Versions IBM Emptoris Contract Management versions 9.5.x through 9.5.0.5, 10.0.0.x through 10.0.0.0, 10.0.1.x through 10.0.1.4, and 10.0.2.x through 10.0.2.1 IBM Emptoris Sourcing versions 9.5 through 9.5.1.2, 10.0.0.x through 10.0.0.0, 10.0.1.x through 10.0.1.2, and 10.0.2.x through 10.0.2.4 IBM Emptoris Program Management versions 10.0.0.x through 10.0.0.2, 10.0.1.x through 10.0.1.3, and 10.0.2.x through 10.0.2.4 IBM Emptoris Strategic Supply Management versions 10.0.0.x through 10.0.0.2, 10.0.1.x through 10.0.1.3, and 10.0.2.x through 10.0.2.4

Description The issue allows remote authenticated users to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. This occurs in the Echo API.

Recommendations For IBM Emptoris Contract Management versions 9.5.x through 9.5.0.5, update to 9.5.0.6 iFix11 or later. For IBM Emptoris Contract Management versions 10.0.0.x through 10.0.0.0, update to 10.0.0.1 iFix12 or later. For IBM Emptoris Contract Management versions 10.0.1.x through 10.0.1.4, update to 10.0.1.5 iFix2 or later. For IBM Emptoris Contract Management versions 10.0.2.x through 10.0.2.1, update to 10.0.2.2 iFix5 or later. For IBM Emptoris Sourcing versions 9.5 through 9.5.1.2, update to 9.5.1.3 iFix2 or later. For IBM Emptoris Sourcing versions 10.0.0.x through 10.0.0.0, update to 10.0.0.1 iFix1 or later. For IBM Emptoris Sourcing versions 10.0.1.x through 10.0.1.2, update to 10.0.1.3 iFix1 or later. For IBM Emptoris Sourcing versions 10.0.2.x through 10.0.2.4, update to 10.0.2.5 or later. For IBM Emptoris Program Management versions 10.0.0.x through 10.0.0.2, update to 10.0.0.3 iFix6 or later. For IBM Emptoris Program Management versions 10.0.1.x through 10.0.1.3, update to 10.0.1.4 iFix1 or later. For IBM Emptoris Program Management versions 10.0.2.x through 10.0.2.4, update to 10.0.2.5 or later. For IBM Emptoris Strategic Supply Management versions 10.0.0.x through 10.0.0.2, update to 10.0.0.3 iFix6 or later. For IBM Emptoris Strategic Supply Management versions 10.0.1.x through 10.0.1.3, update to 10.0.1.4 iFix1 or later. For IBM Emptoris Strategic Supply Management versions 10.0.2.x through 10.0.2.4, update to 10.0.2.5 or later.