search menu icon-carat-right cmu-wordmark

CERT Coordination Center

EMC Documentum products contain multiple vulnerabilities

Vulnerability Note VU#315340

Original Release Date: 2014-12-15 | Last Revised: 2017-01-06


EMC Documentum products including Content Server, D2, and Web Development Kit (WDK) contain multiple vulnerabilities.


EMC Documentum Content Server, D2, and WDK contain numerous vulnerabilities of varying impact. For details, view our spreadsheet. For status from the vendor, please visit (requires EMC Online Support credentials). Search by CVE ID and/or ESA ID referenced in the spreadsheet.

The CVSS score below reflects use of backdoor credentials (see VU#184360, VU#695112, and VU#982432 in the spreadsheet).


The severity of impact varies. Specific examples include information disclosure, privilege escalation, authentication bypass, arbitrary code execution, shell command injection, and unauthorized access via backdoor credentials. Worst-case scenarios allow an attacker to take complete control of a vulnerable system.


Apply an update

EMC has released updates to address many of the issues in question. For information about specific updates, including discussion about their effectiveness, refer to the spreadsheet.

Vendor Information


EMC Corporation Affected

Notified:  April 25, 2014 Updated: December 16, 2014

Statement Date:   December 16, 2014



Vendor Statement

EMC has been working with CERT on the issues announced in their recent advisory. We have released updates to address many of the issues in question and are investigating others. We will continue to create our remediation plans for open vulnerabilities and provide remedies via security advisories. We encourage our customers to refer to for the latest EMC Security Advisories: and follow the steps identified in them to protect themselves. Please contact EMC Support for all other questions.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

CVSS Metrics

Group Score Vector
Base 10 AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal 9 E:POC/RL:ND/RC:C
Environmental 6.7 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND



Thanks to Andrey B. Panfilov for reporting these vulnerabilities.

This document was written by Joel Land.

Other Information

CVE IDs: CVE-2014-2520, CVE-2014-2518, CVE-2014-4622, CVE-2014-2514, CVE-2014-2507, CVE-2014-2513, CVE-2014-4618, CVE-2014-4626, CVE-2014-2515, CVE-2014-2504, CVE-2014-4629
Date Public: 2014-12-15
Date First Published: 2014-12-15
Date Last Updated: 2017-01-06 15:45 UTC
Document Revision: 50

Sponsored by CISA.