Description
NetIQ Access Manager 4.1 before 4.1.2 HF 1 and 4.2 before 4.2.2 was parsing incoming SAML requests with external entity resolution enabled, which could lead to local file disclosure via an XML External Entity (XXE) attack.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_confirm
https://www.novell.com/support/kb/doc.php?id=7017806
Scores
CVSS v3
5.5
EPSS
0.0039
EPSS Percentile
30.9%
Attack Vector
LOCAL
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-611
Status
published
Products (3)
n/a/NetIQ Access Manager
NetIQ Access Manager
netiq/access_manager
4.1 (3 CPE variants)
netiq/access_manager
4.2 (2 CPE variants)
Published
Mar 23, 2017
Tracked Since
Feb 18, 2026