IBM Security Access Manager Container XML external entity injection
Description
IBM Security Access Manager Container (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.0.0 through 10.0.6.1) is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 254783.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An XXE vulnerability in IBM Security Verify Access (Container/Docker 10.0.0.0–10.0.6.1) allows remote attackers to expose sensitive information or consume memory.
Vulnerability
CVE-2023-32327 is an XML External Entity Injection (XXE) vulnerability in IBM Security Access Manager Container, which is part of IBM Security Verify Access Appliance and IBM Security Verify Access Docker. Versions 10.0.0.0 through 10.0.6.1 are affected. The vulnerability exists when the product processes XML data, allowing an attacker to inject malicious XML entities if the parser is not properly configured to disable external entities [1].
Exploitation
A remote attacker can exploit this vulnerability by sending specially crafted XML data to the affected service. No prior authentication is required; the attacker only needs network access to the vulnerable component. The attack leverages the XML parser’s handling of external entities, leading to information disclosure or memory consumption [1].
Impact
Successful exploitation could result in two primary impacts: (1) exposure of sensitive information, such as local files or internal network data, via the XXE’s ability to exfiltrate data; (2) denial of service due to memory resource exhaustion, potentially making the service unavailable. The attacker does not gain code execution but can read arbitrary files on the server [1].
Mitigation
IBM has addressed CVE-2023-32327 in IBM Security Verify Access updates. Users should upgrade to a fixed version beyond 10.0.6.1 as recommended in the vendor’s security bulletin [1]. No workaround is provided; applying the patch or moving to a supported release is required.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
5- Range: >=10.0.0.0, <=10.0.6.1
>=10.0.0.0, <=10.0.6.1+ 2 more
- (no CPE)range: >=10.0.0.0, <=10.0.6.1
- (no CPE)range: 10.0.0.0
- (no CPE)range: 10.0.0.0
- Range: >=10.0.0.0, <=10.0.6.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- www.ibm.com/support/pages/node/7106586mitrevendor-advisory
- exchange.xforce.ibmcloud.com/vulnerabilities/254783mitrevdb-entry
News mentions
0No linked articles in our index yet.