CVE-2019-4340

Vulnerability

IBM Security Guardium Big Data Intelligence (SonarG) version 4.0 is vulnerable to an XML External Entity Injection (XXE) vulnerability when processing XML data. The vulnerability occurs because the application does not properly restrict XML external entity references, allowing an attacker to supply crafted XML input that can be parsed by the vulnerable component [1].

Exploitation

An attacker with network access and valid credentials (authentication is required, as indicated by the CVSS vector PR:L) can exploit this vulnerability by sending a specially crafted XML request to the application. The attacker does not require user interaction, and the attack can be launched remotely over the network [1].

Impact

Successful exploitation of this vulnerability can lead to exposure of sensitive information, as the XXE attack may allow reading of files or internal resources from the server. Additionally, the attacker could consume memory resources, potentially leading to a denial-of-service condition [1]. The CVSS score of 7.1 indicates high confidentiality impact and low availability impact, with no impact on integrity [1].

Mitigation

IBM has not yet released a fix for this vulnerability as of the publication date (August 2019). The vendor advisory [1] does not specify a remediation version or workaround. Users should monitor IBM's security bulletins for updates and consider restricting network access to the affected component until a patch is available.