Vulnerability CVE-2014-2054

Vulnerability Name:

CVE-2014-2054 (CCN-91885)

Assigned:

2014-03-02

Published:

2014-03-02

Updated:

2014-06-04

Summary:

PHPExcel before 1.8.0, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, does not disable external entity loading in libxml, which allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack.
Per: http://cwe.mitre.org/data/definitions/611.html

"CWE-611: Improper Restriction of XML External Entity Reference ('XXE')"

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): None Availibility (A): None

CVSS v2 Severity:

7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
5.5 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

Vulnerability Type:

CWE-Other

Vulnerability Consequences:

Obtain Information

References:

Source: MITRE
Type: CNA
CVE-2014-2054

Source: CONFIRM
Type: Vendor Advisory
http://owncloud.org/about/security/advisories/oC-SA-2014-006/

Source: CCN
Type: SA57357
PHPExcel XML External Entity Processing Vulnerability

Source: CCN
Type: BID-66172
PHPExcel CVE-2014-2054 XML External Entity Information Disclosure Vulnerability

Source: XF
Type: UNKNOWN
phpexcel-cve20142054-info-disc(91885)

Source: CONFIRM
Type: UNKNOWN
https://github.com/PHPOffice/PHPExcel/blob/develop/changelog.txt

Source: CCN
Type: PHPOffice / PHPExcel GIT Repository
PHPExcel / changelog.tx

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2014-2054

Vulnerable Configuration:

Configuration 1:

cpe:/a:owncloud:owncloud:6.0.0:*:*:*:*:*:*:*

OR cpe:/a:owncloud:owncloud:6.0.1:*:*:*:*:*:*:*

OR cpe:/a:phpexcel_project:phpexcel:*:*:*:*:*:*:*:* (Version <= 1.7.9)

Configuration 2:

cpe:/a:owncloud:owncloud:5.0.0:*:*:*:*:*:*:*

OR cpe:/a:owncloud:owncloud:5.0.1:*:*:*:*:*:*:*

OR cpe:/a:owncloud:owncloud:5.0.2:*:*:*:*:*:*:*

OR cpe:/a:owncloud:owncloud:5.0.3:*:*:*:*:*:*:*

OR cpe:/a:owncloud:owncloud:5.0.4:*:*:*:*:*:*:*

OR cpe:/a:owncloud:owncloud:5.0.5:*:*:*:*:*:*:*

OR cpe:/a:owncloud:owncloud:5.0.6:*:*:*:*:*:*:*

OR cpe:/a:owncloud:owncloud:5.0.7:*:*:*:*:*:*:*

OR cpe:/a:owncloud:owncloud:5.0.8:*:*:*:*:*:*:*

OR cpe:/a:owncloud:owncloud:5.0.9:*:*:*:*:*:*:*

OR cpe:/a:owncloud:owncloud:5.0.10:*:*:*:*:*:*:*

OR cpe:/a:owncloud:owncloud:5.0.11:*:*:*:*:*:*:*

OR cpe:/a:owncloud:owncloud:5.0.12:*:*:*:*:*:*:*

OR cpe:/a:owncloud:owncloud:5.0.13:*:*:*:*:*:*:*

OR cpe:/a:owncloud:owncloud:5.0.14:*:*:*:*:*:*:*

OR cpe:/a:owncloud:owncloud:*:a:*:*:*:*:*:* (Version <= 5.0.14)

OR cpe:/a:phpexcel_project:phpexcel:*:*:*:*:*:*:*:* (Version <= 1.7.9)

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:com.ubuntu.bionic:def:201420540000000	V	CVE-2014-2054 on Ubuntu 18.04 LTS (bionic) - medium.	2014-06-04
oval:com.ubuntu.artful:def:20142054000	V	CVE-2014-2054 on Ubuntu 17.10 (artful) - medium.	2014-06-04
oval:com.ubuntu.trusty:def:20142054000	V	CVE-2014-2054 on Ubuntu 14.04 LTS (trusty) - medium.	2014-06-04
oval:com.ubuntu.xenial:def:201420540000000	V	CVE-2014-2054 on Ubuntu 16.04 LTS (xenial) - medium.	2014-06-04
oval:com.ubuntu.bionic:def:20142054000	V	CVE-2014-2054 on Ubuntu 18.04 LTS (bionic) - medium.	2014-06-04
oval:com.ubuntu.xenial:def:20142054000	V	CVE-2014-2054 on Ubuntu 16.04 LTS (xenial) - medium.	2014-06-04
oval:com.ubuntu.disco:def:201420540000000	V	CVE-2014-2054 on Ubuntu 19.04 (disco) - medium.	2014-06-04
oval:com.ubuntu.cosmic:def:20142054000	V	CVE-2014-2054 on Ubuntu 18.10 (cosmic) - medium.	2014-06-04
oval:com.ubuntu.cosmic:def:201420540000000	V	CVE-2014-2054 on Ubuntu 18.10 (cosmic) - medium.	2014-06-04
oval:com.ubuntu.precise:def:20142054000	V	CVE-2014-2054 on Ubuntu 12.04 LTS (precise) - medium.	2014-06-04

BACK