Executive Summary

Title Openbravo ERP contains an information disclosure vulnerability
Name VU#533894 First vendor Publication 2013-10-30
Vendor VU-CERT Last vendor Modification 2013-11-05
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:S/C:P/I:N/A:N)
Cvss Base Score 3.5 Attack Range Network
Cvss Impact Score 2.9 Attack Complexity Medium
Cvss Expoit Score 6.8 Authentication Requires single instance
Calculate full CVSS 2.0 Vectors scores


Vulnerability Note VU#533894

Openbravo ERP contains an information disclosure vulnerability

Original Release date: 30 Oct 2013 | Last revised: 05 Nov 2013


Openbravo ERP 2.5, 3, and possibly earlier versions contain an information disclosure vulnerability (CWE-200).


CWE-200: Information Exposure

Openbravo ERP version 2.5 and version 3 contain an information disclosure vulnerability. This is due to the expanded use of XML External Entity (XXE) Processing. An attacker can send specially crafted XML requests to the XML API and have the application return the contents of files on the filesystem.

An example of this request is listed here:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
 <!ELEMENT comments ANY >
 <!ENTITY xxe SYSTEM "file:///etc/passwd" > ]>

<ob:Openbravo xmlns:ob="http://www.example.com"
        <Product id="C970393BDF6C43E2B030D23482D88EED" identifier="Zumo de PiƱa 0,5L">

If sent as a PUT or POST request to the respective REST endpoint, this will update the product with the contents of /etc/passwd in the comment section of the product. You may then make a GET request to the respective product's REST endpoint to receive the contents back and parse the file's contents.

For more details, please see Tod Beardsley's Rapid7 blog post.


An authenticated attacker can send specially crafted XML requests to the XML API and have the application read the contents of the filesystem. This may be used to obtain unauthorized administrative access to the system.


Apply an Update
OpenBravo has released an update to address this vulnerability. Please refer to their issue tracker for more details.

You may also want to consider using the following workaround.

Disable XXE
By disabling the external general entities feature of the SAXParserFactory used to parse the XML within Java code, the attacker cannot successfully make these XML requests. More details can be found on the OWASP XML External Entity (XXE) Processing page.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
OpenbravoAffected03 Sep 201311 Sep 2013
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)



  • http://cwe.mitre.org/data/definitions/200.html
  • http://www.openbravo.com/
  • http://wiki.openbravo.com/wiki/Updates_and_upgrades
  • http://sourceforge.net/projects/openbravo/files/01-openbravo-appliances/
  • https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing
  • https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-foss-disclosures-part-one


Thanks to Tod Beardsley and Brandon Perry of Rapid7, Inc. for reporting this vulnerability.

This document was written by Adam Rauf.

Other Information

  • CVE IDs:CVE-2013-3617
  • Date Public:30 Oct 2013
  • Date First Published:30 Oct 2013
  • Date Last Updated:05 Nov 2013
  • Document Revision:38


If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/533894

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-264 Permissions, Privileges, and Access Controls

CPE : Common Platform Enumeration

Application 217

Alert History

If you want to see full details history, please login or register.
Date Informations
2013-12-14 17:18:07
  • Multiple Updates
2013-11-21 21:23:16
  • Multiple Updates
2013-11-11 13:36:12
  • Multiple Updates
2013-11-06 00:19:51
  • Multiple Updates
2013-11-04 21:36:07
  • Multiple Updates
2013-11-03 00:22:30
  • Multiple Updates
2013-10-30 17:19:11
  • First insertion