CVE-2023-28340

XML External Entity (XXE) Vulnerability in SOAP Response of Web service monitor.

Vulnerability Details
Severity	Medium
CVE ID	CVE-2023-28340
Affected software versions	Version 16320 and below
Fixed Version	Version 16135 to 16139 Version 16213 to 16219 Version 16330 and above
Fixed on	18 Jan 2023

Details

When a malicious WSDL URL is provided in Web Service monitor, the URL SOAP response is parsed by an insecure XML parser which lead to XML External Entity (XXE) Vulnerability.

Impact

This vulnerability allows Applications Manager to be used for file retrieval, server side request forgery, port scanning, or brute forcing.

Fix

Applications Manager version 16330 and above fixes this issue by properly parsing the XML response from the WSDL URL provided by the user.

Steps to update

Update your Applications Manager instance to the latest build using the service pack.

Source and Acknowledgements

Find out more about CVE-2023-28340 from CVE Directory and NIST NVD.

Reported by:

Da22le.

Need Help?

For clarification or corrections please contact our support team or email us at appmanager-support@manageengine.com

Loved by customers all over the world

"Standout Tool With Extensive Monitoring Capabilities"

★ ★ ★ ★ ★

It allows us to track crucial metrics such as response times, resource utilization, error rates, and transaction performance. The real-time monitoring alerts promptly notify us of any issues or anomalies, enabling us to take immediate action.

Reviewer Role: Research and Development

"I like Applications Manager because it helps us to detect issues present in our servers and SQL databases."

Carlos Rivero

Tech Support Manager, Lexmark