Description
Apache Batik is vulnerable to server-side request forgery, caused by improper input validation by the "xlink:href" attributes. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.
Affected Software
Related
{"id": "GHSA-CMX4-P4V5-HMR5", "vendorId": null, "type": "github", "bulletinFamily": "software", "title": "Server-side request forgery (SSRF) in Apache Batik", "description": "Apache Batik is vulnerable to server-side request forgery, caused by improper input validation by the \"xlink:href\" attributes. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.", "published": "2022-02-09T00:46:46", "modified": "2023-01-27T05:02:26", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE", "baseScore": 5.0}, "severity": "MEDIUM", "exploitabilityScore": 10.0, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}, "href": "https://github.com/advisories/GHSA-cmx4-p4v5-hmr5", "reporter": "GitHub Advisory Database", "references": ["https://nvd.nist.gov/vuln/detail/CVE-2019-17566", "https://github.com/apache/xmlgraphics-batik/commit/bc6078ca949039e2076cd08b4cb169c84c1179b1", "https://issues.apache.org/jira/browse/BATIK-1276", "https://lists.apache.org/thread.html/rab94fe68b180d2e2fba97abf6fe1ec83cff826be25f86cd90f047171@%3Ccommits.myfaces.apache.org%3E", "https://lists.apache.org/thread.html/rcab14a9ec91aa4c151e0729966282920423eff50a22759fd21db6509@%3Ccommits.myfaces.apache.org%3E", "https://www.oracle.com/security-alerts/cpujan2021.html", "https://xmlgraphics.apache.org/security.html", "https://www.oracle.com/security-alerts/cpuApr2021.html", "https://www.oracle.com//security-alerts/cpujul2021.html", "https://www.oracle.com/security-alerts/cpuoct2021.html", "https://www.oracle.com/security-alerts/cpujan2022.html", "https://www.oracle.com/security-alerts/cpujul2022.html", "https://github.com/advisories/GHSA-cmx4-p4v5-hmr5"], "cvelist": ["CVE-2019-17566"], "immutableFields": [], "lastseen": "2023-01-27T05:07:14", "viewCount": 46, "enchantments": {"score": {"value": 2.7, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2019-17566"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2019-17566"]}, {"type": "fedora", "idList": ["FEDORA:0D7F230979AB", "FEDORA:1364530979AB", "FEDORA:2BD533098BA0", "FEDORA:49205309799A", "FEDORA:61A713098ED5", "FEDORA:7A1EA3098BA2", "FEDORA:85B0430979AB", "FEDORA:94A8C309799A", "FEDORA:9F2FE3098B94", "FEDORA:AF19730979AB", "FEDORA:BACE03098BA0", "FEDORA:C6AD93098B94", "FEDORA:D4B143098BA2", "FEDORA:E0E2C3098BA0", "FEDORA:EDF1E309799A"]}, {"type": "ibm", "idList": ["05F3B2BCBA66E63FF50CAB9D4E4610B2EAE6CD3DA38047220611B10B02307DE3", "11D50567E527C1FAA2CC7E5BFC7E0A144943437DED5DC6E20F8744DBB47E7648", "476B017015C7BC4F8F39C2B41A3D687C1FD9E58B44A524C0A4CF05B7ED875145", "570AF6CDC4F7E864E6852EBD03923041C13A884B424AC254820AD0EEB73694DF", "B9609A42BFED86C36189258C748597C29F9D824D3DD52ECECFEEA902FDA884B1", "E985F7DD50D9D8A298856E2C1DDC013C56A405C6DA86C2ECE58AB850F0AC19BE", "EB600CE5395CD89BA24F74E48B91CAA92CF18E64A90B1514E5930A42BF80F58A"]}, {"type": "kitploit", "idList": ["KITPLOIT:3449843613571411531"]}, {"type": "nessus", "idList": ["OPENSUSE-2020-851.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310853223"]}, {"type": "oracle", "idList": ["ORACLE:CPUJAN2022"]}, {"type": "redhat", "idList": ["RHSA-2020:4961"]}, {"type": "redhatcve", "idList": ["RH:CVE-2019-17566"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:0851-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2019-17566"]}]}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2019-17566"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2019-17566"]}, {"type": "fedora", "idList": ["FEDORA:0D7F230979AB", "FEDORA:1364530979AB", "FEDORA:2BD533098BA0", "FEDORA:49205309799A", "FEDORA:61A713098ED5", "FEDORA:7A1EA3098BA2", "FEDORA:85B0430979AB", "FEDORA:94A8C309799A", "FEDORA:9F2FE3098B94", "FEDORA:AF19730979AB", "FEDORA:BACE03098BA0", "FEDORA:C6AD93098B94", "FEDORA:D4B143098BA2", "FEDORA:E0E2C3098BA0", "FEDORA:EDF1E309799A"]}, {"type": "ibm", "idList": ["016248796F0D60834A9AE6D8C8659223A06C7DCF5A1BFEB093E2C71A7B706F76", "05F3B2BCBA66E63FF50CAB9D4E4610B2EAE6CD3DA38047220611B10B02307DE3", "066CC30FF07EA70663C1053750F35662E071CE8F2ADB63927D6FD5956CB157A7", "099DD49202775CBB1F4948F66DB50FAE41385719EDE85DEF5171C85DA36B727F", "0BDDBA484F3367829DBE683BE155B8F63CE6E7CF5747401F154DB308D91D8FD4", "0F297F5F87FAC22F33127BF32110D0C0B158B6859BCE9E0ED4EB35484AD06F6A", "11D50567E527C1FAA2CC7E5BFC7E0A144943437DED5DC6E20F8744DBB47E7648", "124495DD455D7F5D1C3DB0D3404B8054E94AC8A5A5D620E6E377E96048271229", "126E1024546918D07264839DD88F2FF75D58789A0F611D0689966886112B533B", "353C8048EB40D7C11CD60ABB9D7F5DFD666EDB60B698E9932FC1A04919041609", "44D4BE9C6B3A5CA2D7E393A0C6B1DE6752C9B6BDF8F6BC23CA690D4063D3152B", "476B017015C7BC4F8F39C2B41A3D687C1FD9E58B44A524C0A4CF05B7ED875145", "491394DDEE034747D7811D1973C25BFF278CF244B77553F19F191E2CAC5CF3CB", "4F83B26494F5C02A937F66487471A788F350B0FE1D9EABC80254DB502CA97A51", "570AF6CDC4F7E864E6852EBD03923041C13A884B424AC254820AD0EEB73694DF", "5F792F8D340FF2EE83DE40316936CA0AA1272904A4423A4CAF9FA698D9FD6BE0", "66886B86D22AD162D05F9B987C32085ED4A1AA2754E87D356E718DE087B7313A", "6FC3A70E69693A6A15050339D9B2368FE0F69A247562F6FDA33037FBACD59417", "77D1D444B20370DE0EDFF23D9E385D851AC796623E4D85D114F6A8AA31FAB59A", "7E0744D5936EDC5F018B0850D801B665D388060D6A81B986BC7AD81C9A78C0EE", "9770323F532BB10EA2CF6AA35FD83A103279F223480B36A5D157CEB2FDA4B9D8", "B9609A42BFED86C36189258C748597C29F9D824D3DD52ECECFEEA902FDA884B1", "C95C9771121CCE6842ACFEDC26BFC21B9739D3FC215633C459D55FD458440B00", "D0B36475A4B658E0814531AA499810EB812EB1431F68943B8310DF7002931DBE", "D794EA27CA7E3FF8825CDCEFF3439F08F1C4C2B94C2E54C22629BF94087D371F", "DC8B783B9EAA31C03B1E404FC721223E232D2BB78FAD1F0FF5BCC2915BC8629E", "E24DA558C6C58E4DA05950B06D7C9C1BFB980CB0462AF1D70A81036D55BCE675", "E619F0B12EAE67CCCEC5CE0326BC6EB363C3E94F87723AB21878B776DD8B0317", "E677723D81339CA25FE5CB670D8786FB1ABB44D538C8C5D7C05E9A9FAE453FF7", "E888E5EBE83D27A538FE4C5957DF731881D9808C40870DA1BFEB861547852D38", "E985F7DD50D9D8A298856E2C1DDC013C56A405C6DA86C2ECE58AB850F0AC19BE", "E9CDD69A151880279AA5C5E27039A10306BBC1E05EF41BEE24FB52ADDD64851C", "EB600CE5395CD89BA24F74E48B91CAA92CF18E64A90B1514E5930A42BF80F58A", "EBBA69401956060B98C4FDDE1CDAAA10D09B28A527F8C5C2F8D2998B16B675C4"]}, {"type": "mageia", "idList": ["MGASA-2021-0168"]}, {"type": "nessus", "idList": ["FEDORA_2020-CF8EF2F333.NASL", "OPENSUSE-2020-851.NASL", "ORACLE_GOLDENGATE_CPU_OCT_2021.NASL", "ORACLE_RDBMS_CPU_JUL_2021.NASL", "ORACLE_WEBLOGIC_SERVER_CPU_JUL_2022.NASL", "WEBSPHERE_6322683.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310853223"]}, {"type": "oracle", "idList": ["ORACLE:CPUAPR2021", "ORACLE:CPUJAN2021", "ORACLE:CPUJAN2022", "ORACLE:CPUJUL2021", "ORACLE:CPUOCT2021", "ORACLE:CPUOCT2022"]}, {"type": "osv", "idList": ["OSV:GHSA-CMX4-P4V5-HMR5"]}, {"type": "redhat", "idList": ["RHSA-2020:4960", "RHSA-2020:4961", "RHSA-2020:5568"]}, {"type": "redhatcve", "idList": ["RH:CVE-2019-17566"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:0851-1", "OPENSUSE-SU-2020:1043-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2019-17566"]}, {"type": "veracode", "idList": ["VERACODE:25693"]}]}, "exploitation": null, "affected_software": {"major_version": [{"name": "org.apache.xmlgraphics:batik", "version": 1}]}, "epss": [{"cve": "CVE-2019-17566", "epss": "0.001720000", "percentile": "0.525580000", "modified": "2023-03-19"}], "vulnersScore": 2.7}, "_state": {"dependencies": 1674796084, "score": 1674796154, "affected_software_major_version": 1674796202, "epss": 1679323282}, "_internal": {"score_hash": "0ad746cafdc3ed52b14b5561c91b5ec1"}, "affectedSoftware": [{"version": "1.13", "operator": "lt", "ecosystem": "MAVEN", "name": "org.apache.xmlgraphics:batik"}]}
{"ibm": [{"lastseen": "2023-02-27T21:51:39", "description": "## Summary\n\nWebSphere Application Server is shipped as a component of IBM Cloud Pak for Applications. Information about security vulnerabilities affecting WebSphere Application Server have been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nPrincipal Products and Versions(s)| Affected Supporting Products and Version(s) \n---|--- \nIBM Cloud Pak for Applications, all versions| \n\nWebSphere Application Server\n\n * 9.0\n * 8.5\n * 8.0 \n \n\n\n## Remediation/Fixes\n\nPlease consult the following security bulletin for vulnerability details and information about fixes \n\n[Vulnerability in Apache Batik affects WebSphere Application Server (CVE-2019-17566)](<https://www.ibm.com/support/pages/node/6322683> \"Vulnerability in Apache Batik affects WebSphere Application Server \\(CVE-2019-17566\\)\" )\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-08-27T19:29:06", "type": "ibm", "title": "Security Bulletin: WebSphere Application Server which is a component of IBM Cloud Pak for Applications is vulnerable to a server-side request forgery vulnerability in the Apache Batik library (CVE-2019-17566)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17566"], "modified": "2020-08-27T19:29:06", "id": "353C8048EB40D7C11CD60ABB9D7F5DFD666EDB60B698E9932FC1A04919041609", "href": "https://www.ibm.com/support/pages/node/6323735", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-27T21:51:15", "description": "## Summary\n\nWebsphere Application Server is shipped with Predictive Customer Intelligence. Information about a security vulnerability affecting Websphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nPredictive Customer Intelligence versions 1.0, 1.0.1, 1.1, 1.1.1, 1.1.2\n\n \n\n\n## Remediation/Fixes\n\nPrincipal Product and Version(s)| Affected Supporting Product and Version| Affected Supporting Product Security Bulletin \n---|---|--- \nPredictive Customer Intelligence 1.0 and 1.0.1| Websphere Application Server 8.5.5| [Security Bulletin: Vulnerability in Apache Batik affects WebSphere Application Server (CVE-2019-17566)](<https://www.ibm.com/support/pages/node/6322683>) \nPredictive Customer Intelligence 1.1 and 1.1.1| Websphere Application Server 8.5.5.6| [Security Bulletin: Vulnerability in Apache Batik affects WebSphere Application Server (CVE-2019-17566)](<https://www.ibm.com/support/pages/node/6322683>) \nPredictive Customer Intelligence 1.1.2| Websphere Application Server 9.0.0.4| [Security Bulletin: Vulnerability in Apache Batik affects WebSphere Application Server (CVE-2019-17566)](<https://www.ibm.com/support/pages/node/6322683>) \n \n## \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-09-04T14:44:11", "type": "ibm", "title": "Security Bulletin: A Security Vulnerability in Websphere Application Server Affects Predictive Customer Intelligence (CVE-2019-17566)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17566"], "modified": "2020-09-04T14:44:11", "id": "C95C9771121CCE6842ACFEDC26BFC21B9739D3FC215633C459D55FD458440B00", "href": "https://www.ibm.com/support/pages/node/6326889", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-27T21:51:41", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM Case Manager. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Case Manager| 5.3CD \nIBM Case Manager| 5.2.1 \nIBM Case Manager| 5.2.0 \n \n\n\n## Remediation/Fixes\n\nPlease consult the security bulletin [Security Bulletin: Vulnerability in Apache Batik affects WebSphere Application Server (CVE-2019-17566)](<https://www.ibm.com/support/pages/node/6322683> \"Security Bulletin: Vulnerability in Apache Batik affects WebSphere Application Server \\(CVE-2019-17566\\)\" ) for vulnerability details and information about fixes.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-08-26T19:45:02", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Case Manager (CVE-2019-17566)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17566"], "modified": "2020-08-26T19:45:02", "id": "E9CDD69A151880279AA5C5E27039A10306BBC1E05EF41BEE24FB52ADDD64851C", "href": "https://www.ibm.com/support/pages/node/6323313", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-27T21:51:12", "description": "## Summary\n\nA Security Vulnerability Has Been Identified In Apache Batik. IBM WebSphere Application Server which is shipped with IBM Security Access Manager for Enterprise Single Sign-On is affected by Apache Batik. Information about this security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nIBM Security Access Manager for Enterprise Single Sign-On 8.2.1, 8.2.2\n\n \n\n\n## Remediation/Fixes\n\n**Principal Product and Version(s)**| **Affected Supporting Product and Version**| **Affected Supporting Product Security Bulletin** \n---|---|--- \nIBM Security Access Manager for Enterprise Single Sign-On 8.2.1| IBM WebSphere Application Server 8.5| [Security Bulletin: Vulnerability in Apache Batik affects WebSphere Application Server (CVE-2019-17566)](<https://www.ibm.com/support/pages/node/6322683> \"Security Bulletin: Vulnerability in Apache Batik affects WebSphere Application Server \\(CVE-2019-17566\\)\" ) \nIBM Security Access Manager for Enterprise Single Sign-On 8.2.2| IBM WebSphere Application Server 8.5| [Security Bulletin: Vulnerability in Apache Batik affects WebSphere Application Server (CVE-2019-17566)](<https://www.ibm.com/support/pages/node/6322683> \"Security Bulletin: Vulnerability in Apache Batik affects WebSphere Application Server \\(CVE-2019-17566\\)\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-09-09T03:12:20", "type": "ibm", "title": "Security Bulletin: A Security Vulnerability Has Been Identified In Apache Batik used by IBM WebSphere Application Server which is shipped with IBM Security Access Manager for Enterprise Single Sign-On (CVE-2019-17566)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17566"], "modified": "2020-09-09T03:12:20", "id": "066CC30FF07EA70663C1053750F35662E071CE8F2ADB63927D6FD5956CB157A7", "href": "https://www.ibm.com/support/pages/node/6327523", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-27T21:51:40", "description": "## Summary\n\nWebSphere Application Server is shipped with WebSphere Remote Server. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM WebSphere Remote Server - Product Family| 9.0, 8.5 \n \n\n\n## Remediation/Fixes\n\nRefer to the following security bulletins for vulnerability details and information about fixes addressed by WebSphere Application Server which is shipped with WebSphere Remote Server. \n\nPrincipal Product and Version(s)| Affected Supporting Product and Version | Affected Supporting Product Security Bulletin \n---|---|--- \nWebSphere Remote Server 9.0, 8.5| WebSphere Application Server 9.0, 8.5, 8.0| \n\n[Vulnerability in Apache Batik affects WebSphere Application Server (CVE-2019-17566)](<https://www.ibm.com/support/pages/node/6322683>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-08-27T18:28:28", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with WebSphere Remote Server (CVE-2019-17566)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17566"], "modified": "2020-08-27T18:28:28", "id": "491394DDEE034747D7811D1973C25BFF278CF244B77553F19F191E2CAC5CF3CB", "href": "https://www.ibm.com/support/pages/node/6323713", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-27T21:48:41", "description": "## Summary\n\nApache Batik is a required product forwith IBM Tivoli Network Manager version 4.2. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nITNM| 4.2.0 \n \n\n\n## Remediation/Fixes\n\nAffected Product(s)| Version(s)| Remediation \n---|---|--- \nITNM| 4.2.0| \n\n[Vulnerability in Apache Batik affects WebSphere Application Server](<https://www.ibm.com/support/pages/node/6322683> \"Vulnerability in Apache Batik affects WebSphere Application Server\" )\n\nSee section: For V8.5.0.0 through 8.5.5.17: \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2020-11-27T09:04:51", "type": "ibm", "title": "Security Bulletin: A vulnerability has been identified in Apache Batik, which is a required product for IBM Tivoli Network Manager IP Edition (CVE-2019-17566)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2019-17566"], "modified": "2020-11-27T09:04:51", "id": "E888E5EBE83D27A538FE4C5957DF731881D9808C40870DA1BFEB861547852D38", "href": "https://www.ibm.com/support/pages/node/6373230", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-02-27T21:48:42", "description": "## Summary\n\nApache Batik is a required product for IBM Tivoli Netcool Configuration Manager version 6.4.2. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nITNCM| 6.4.2 \n \n\n\n## Remediation/Fixes\n\nAffected Product(s)| Version(s)| Remediation \n---|---|--- \nITNCM| 6.4.2| \n\n[Vulnerability in Apache Batik affects WebSphere Application Server](<https://www.ibm.com/support/pages/node/6322683> \"Vulnerability in Apache Batik affects WebSphere Application Server\" )\n\n \nSee section: For V8.5.0.0 through 8.5.5.17: \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2020-11-27T09:05:31", "type": "ibm", "title": "Security Bulletin: A vulnerability has been identified in Apache Batik, which is a required product for IBM Tivoli Netcool Configuration Manager (CVE-2019-17566)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2019-17566"], "modified": "2020-11-27T09:05:31", "id": "6FC3A70E69693A6A15050339D9B2368FE0F69A247562F6FDA33037FBACD59417", "href": "https://www.ibm.com/support/pages/node/6373232", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-02-27T21:51:35", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM Security Key Lifecycle Manager (SKLM). Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s) | Version(s) \n---|--- \nIBM Security Key Lifecycle Manager | 4.0 \nIBM Security Key Lifecycle Manager | 3.0.1 \nIBM Security Key Lifecycle Manager | 3.0 \nIBM Security Key Lifecycle Manager | 2.7 \n \n## Remediation/Fixes\n\nPlease consult the security bulletin [Security Bulletin: Vulnerability in Apache Batik affects WebSphere Application Server (CVE-2019-17566)](<https://www.ibm.com/support/pages/node/6322683> \"Security Bulletin: Vulnerability in Apache Batik affects WebSphere Application Server \\(CVE-2019-17566\\)\" ) for vulnerability details and information about fixes.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-08-28T18:12:19", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Security Key Lifecycle Manager (SKLM) (CVE-2019-17566)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17566"], "modified": "2020-08-28T18:12:19", "id": "D0B36475A4B658E0814531AA499810EB812EB1431F68943B8310DF7002931DBE", "href": "https://www.ibm.com/support/pages/node/6324247", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-27T21:51:22", "description": "## Summary\n\nIBM WebSphere Application Server (WAS) is shipped with IBM Security Identity Manager (ISIM). Information about security vulnerabilities affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nISIM| 6.0.0 \nISIM| 6.0.2 \n \n\n\n## Remediation/Fixes\n\nPrincipal Product and Version(s)| Affected Supporting Product and Version(s)| Affected Supporting Product Security Bulletin \n---|---|--- \nISIM 6.0.0 | WAS 8.5| \n\n# \n\n# [Security Bulletin: Vulnerability in Apache Batik in WebSphere Application Server traditional (CVE-2019-17566)](<https://www.ibm.com/support/pages/node/6322683> \"Security Bulletin: Vulnerability in Apache Batik in WebSphere Application Server \\(CVE-2019-17566\\)\" )\n\n# \n \nISIM 6.0.2| WAS 9.0 \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-08-31T20:16:17", "type": "ibm", "title": "Security Bulletin: Security vulnerabilty have been identified in IBM WebSphere Application Server shipped with IBM Security Identity Manager(CVE-2019-17566)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17566"], "modified": "2020-08-31T20:16:17", "id": "05F3B2BCBA66E63FF50CAB9D4E4610B2EAE6CD3DA38047220611B10B02307DE3", "href": "https://www.ibm.com/support/pages/node/6324827", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-27T21:48:46", "description": "## Summary\n\nWebsphere Application Server (WAS) is shipped as a component of IBM Operations Analytics Predictive Insights. Information about WebSphere Application Server security vulnerability ( CVE-2019-17566 ) due to Apache Batik vulnerability has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)| Affected Supporting Product and Version(s) \n---|--- \nIBM Operations Analytics Predictive Insights - All | Websphere Application Server 8.5 \nIBM Operations Analytics Predictive Insights - All | Websphere Application Server 9.0 \n \n \n\n\n## Remediation/Fixes\n\nFor more information and recommended solutions see the disclosed security bulletin: [Vulnerability in Apache Batik affects WebSphere Application Server (CVE-2019-17566)](<https://www.ibm.com/support/pages/security-bulletin-vulnerability-apache-batik-affects-websphere-application-server-cve-2019-17566> \"Vulnerability in Apache Batik affects WebSphere Application Server \\(CVE-2019-17566\\)\" )\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-11-23T14:50:01", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server traditional shipped with IBM Operations Analytics", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17566"], "modified": "2020-11-23T14:50:01", "id": "E985F7DD50D9D8A298856E2C1DDC013C56A405C6DA86C2ECE58AB850F0AC19BE", "href": "https://www.ibm.com/support/pages/node/6371842", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-27T21:49:03", "description": "## Summary\n\nThere is a server-side request forgery vulnerability in the Apache Batik library which is used by WebSphere Application Server. This has been addressed.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nJazz for Service Management| 1.1.3 - 1.1.3.8 \n \n\n\n## Remediation/Fixes\n\n**Principal Product and Version(s)**| **Affected Supporting Product and Version**| **Affected Supporting Product Security Bulletin** \n---|---|--- \nJazz for Service Management version 1.1.3 - 1.1.3.8| Websphere Application Server Full Profile 8.5.5 | [Security Bulletin: Vulnerability in Apache Batik affects WebSphere Application Server (CVE-2019-17566)](<https://www.ibm.com/support/pages/node/6322683> \"Security Bulletin: Vulnerability in Apache Batik affects WebSphere Application Server \\(CVE-2019-17566\\)\" ) \nJazz for Service Management version 1.1.3.7 - 1.1.3.8| \n\nWebsphere Application Server Full Profile 9.0\n\n| [Security Bulletin: Vulnerability in Apache Batik affects WebSphere Application Server (CVE-2019-17566)](<https://www.ibm.com/support/pages/node/6322683> \"Security Bulletin: Vulnerability in Apache Batik affects WebSphere Application Server \\(CVE-2019-17566\\)\" ) \n \n## Workarounds and Mitigations\n\nPlease refer to WAS interim fix.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-11-10T14:05:35", "type": "ibm", "title": "Security Bulletin: WebSphere Application Server shipped with Jazz for Service Management (JazzSM) is vulnerable to CVE-2019-17566", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17566"], "modified": "2020-11-10T14:05:35", "id": "E24DA558C6C58E4DA05950B06D7C9C1BFB980CB0462AF1D70A81036D55BCE675", "href": "https://www.ibm.com/support/pages/node/6365863", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-27T21:50:54", "description": "## Summary\n\nIBM C\u00faram Social Program Management uses Apache Batik libraries, for which there is a publicly known vulnerability. Apache Batik is vulnerable to server-side request forgery, caused by improper input validation by the \"xlink:href\" attributes.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-17566](<https://vulners.com/cve/CVE-2019-17566>) \n** DESCRIPTION: **Apache Batik is vulnerable to server-side request forgery, caused by improper input validation by the \"xlink:href\" attributes. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/183402](<https://exchange.xforce.ibmcloud.com/vulnerabilities/183402>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nC\u00faram SPM| 7.0.10 \nC\u00faram SPM| 7.0.5.0 - 7.0.9 \n \n\n\n## Remediation/Fixes\n\n_Product_| _VRMF_| _Remediation/First Fix_ \n---|---|--- \nC\u00faram SPM| \n\n7.0.10\n\n| Visit IBM Fix Central and upgrade to [7.0.10 iFix1](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Smarter%20Cities&product=ibm/Other+software/Curam+Social+Program+Management&release=7.0.10.0&platform=All&function=all> \"7.0.10 iFix1\" ) or a subsequent 7.0.10 release. \nC\u00faram SPM| \n\n7.0.9\n\n| Visit IBM Fix Central and upgrade to [7.0.9 iFix4](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Smarter%20Cities&product=ibm/Other+software/Curam+Social+Program+Management&release=7.0.9.0_RP&platform=All&function=all> \"7.0.9 iFix4\" ) or a subsequent 7.0.9 release. \n \n## Workarounds and Mitigations\n\nFor information about all other versions, contact IBM C\u00faram Social Program Management customer support. \n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-09-15T17:17:39", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Batik library affects IBM C\u00faram Social Program Management (CVE-2019-17566)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17566"], "modified": "2020-09-15T17:17:39", "id": "5F792F8D340FF2EE83DE40316936CA0AA1272904A4423A4CAF9FA698D9FD6BE0", "href": "https://www.ibm.com/support/pages/node/6333051", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-27T21:37:54", "description": "## Summary\n\nWebSphere Application Server is shipped as a component of IBM Business Automation Workflow, IBM Business Process Manager, and WebSphere Enterprise Service Bus. Information about a security vulnerability affecting IBM WebSphere Application Server Traditional have been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Business Automation Workflow| V20.0 \nV19.0 \nV18.0 \nIBM Business Process Manager| V8.6 \nV8.5 \nV8.0 \n \nFor earlier and unsupported versions of the products, IBM recommends upgrading to a fixed, supported version of the product.\n\nNote that Cumulative Fixes cannot automatically install interim fixes for the base Application Server. It is important to follow the complete installation instructions and manually ensure that recommended security fixes are installed.\n\n \n\n\n## Remediation/Fixes\n\nPlease consult the security bulletin: [Vulnerability in Apache Batik affects WebSphere Application Server (CVE-2019-17566)](<https://www.ibm.com/support/pages/node/6322683> \"Vulnerability in Apache Batik affects WebSphere Application Server \\(CVE-2019-17566\\)\" ) for vulnerability details and information about fixes.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-09-14T15:28:14", "type": "ibm", "title": "Security Bulletin: A vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Digital Business Automation Workflow family products (CVE-2019-17566)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17566"], "modified": "2022-09-14T15:28:14", "id": "124495DD455D7F5D1C3DB0D3404B8054E94AC8A5A5D620E6E377E96048271229", "href": "https://www.ibm.com/support/pages/node/6326853", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-27T21:51:32", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of Maximo Asset Management, Maximo Asset Management Essentials, Maximo Industry Solutions (including Maximo for Energy Optimization, Maximo for Government, Maximo for Nuclear Power, Maximo for Transportation, Maximo for Life Sciences, Maximo for Oil and Gas, and Maximo for Utilities), Maximo Adapter for Primavera, SmartCloud Control Desk, Tivoli Asset Management for IT, Tivoli Service Request Manager, Change and Configuration Management Database, and TRIRIGA Energy Optimization. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \n \nMaximo Asset Management 7.6 \nMaximo for Life Sciences 7.6 \nMaximo for Transportation 7.6 \nMaximo for Oil and Gas 7.6 \nMaximo for Utilities 7.6 \nMaximo for Aviation 7.6 \nMaximo Linear Asset Manager 7.6 \nMaximo for Service Providers 7.6 \nMaximo Asset Health Insights 7.6 \nControl Desk 7.6\n\n| IBM WebSphere Application Server 9.0 \nIBM WebSphere Application Server 8.5.5 Full Profile \nIBM WebSphere Application Server 8.5 Full Profile \n \n## Remediation/Fixes\n\n[Security Bulletin: Vulnerability in Apache Batik affects WebSphere Application Server (CVE-2019-17566)](<https://www.ibm.com/support/pages/node/6322683> \"Security Bulletin: Vulnerability in Apache Batik affects WebSphere Application Server \\(CVE-2019-17566\\)\" )\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-08-31T13:06:44", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with Asset and Service Management (CVE-2019-17566)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17566"], "modified": "2020-08-31T13:06:44", "id": "E677723D81339CA25FE5CB670D8786FB1ABB44D538C8C5D7C05E9A9FAE453FF7", "href": "https://www.ibm.com/support/pages/node/6324667", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-27T21:51:42", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of Business Monitor. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nPrincipal product and version| Affected product and version \n---|--- \nBusiness Monitor V8.5.7| WebSphere Application Server V8.5.5 \nBusiness Monitor V8.5.6| WebSphere Application Server V8.5.5 \nBusiness Monitor V8.5.5| WebSphere Application Server V8.5.5 \n \n \n\n\n## Remediation/Fixes\n\nPlease consult the security bulletin [Vulnerability in Apache Batik affects WebSphere Application Server (CVE-2019-17566)](<https://www.ibm.com/support/pages/node/6322683> \"Vulnerability in Apache Batik affects WebSphere Application Server \\(CVE-2019-17566\\)\" ) vulnerability details and information about fixes. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-08-27T07:16:21", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Business Monitor (CVE-2019-17566)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17566"], "modified": "2020-08-27T07:16:21", "id": "016248796F0D60834A9AE6D8C8659223A06C7DCF5A1BFEB093E2C71A7B706F76", "href": "https://www.ibm.com/support/pages/node/6323563", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-27T21:51:43", "description": "## Summary\n\nThere is a server-side request forgery vulnerability in the Apache Batik library which is used by WebSphere Application Server. This has been addressed.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-17566](<https://vulners.com/cve/CVE-2019-17566>) \n** DESCRIPTION: **Apache Batik is vulnerable to server-side request forgery, caused by improper input validation by the \"xlink:href\" attributes. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/183402](<https://exchange.xforce.ibmcloud.com/vulnerabilities/183402>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nWebSphere Application Server| 9.0 \nWebSphere Application Server| 8.0 \nWebSphere Application Server| 8.5 \n \n\n\n## Remediation/Fixes\n\n**For WebSphere Application Server traditional and WebSphere Application Server Hypervisor Edition:**\n\n**For V9.0.0.0 through 9.0.5.4:** \n\u00b7 Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [PH26761](<https://www.ibm.com/support/pages/node/6322645> \"PH26761\" ) \n\\--OR-- \n\u00b7 Apply Fix Pack 9.0.5.5 or later (targeted availability 3Q2020). \n\n**For V8.5.0.0 through 8.5.5.17:** \n\u00b7 Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [PH26761 ](<https://www.ibm.com/support/pages/node/6322645> \"PH26761\" ) \n\\--OR-- \n\u00b7 Apply Fix Pack 8.5.5.18 or later (targeted availability 3Q2020).\n\n**For V8.0.0.0 through 8.0.0.15:** \n\u00b7 Upgrade to 8.0.0.15 and then apply Interim Fix [PH26761](<https://www.ibm.com/support/pages/node/6322645> \"PH26761\" )\n\n \nAdditional interim fixes may be available and linked off the interim fix download page.\n\n_WebSphere Application Server V8.0 are is longer in full support; IBM recommends upgrading to a fixed, supported version/release/platform of the product. _\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-08-25T21:46:45", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Batik affects WebSphere Application Server (CVE-2019-17566)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17566"], "modified": "2020-08-25T21:46:45", "id": "099DD49202775CBB1F4948F66DB50FAE41385719EDE85DEF5171C85DA36B727F", "href": "https://www.ibm.com/support/pages/node/6322683", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-27T21:51:40", "description": "## Summary\n\nIBM WebSphere\u00ae Application Server is shipped with IBM\u00ae Intelligent Operations Center. Information about a security vulnerability affecting IBM WebSphere\u00ae Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIntelligent Operations Center (IOC)| 1.5.0, 1.6.0, 1.6.0.1, 1.6.0.2, 1.6.0.3 \n \nIBM Intelligent Operations Center for Emergency Management (Linux)\n\n| 1.6.0 \n \n\n\n## Remediation/Fixes\n\nDownload the correct version of the fix from the following link: [Security Bulletin: Vulnerability in Apache Batik affects WebSphere Application Server (CVE-2019-17566)](<https://www.ibm.com/support/pages/node/6322683> \"Security Bulletin: Vulnerability in Apache Batik affects WebSphere Application Server \\(CVE-2019-17566\\)\" ). Installation instructions for the fix are included in the readme document that is in the fix package.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-08-27T17:38:17", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere\u00ae Application Server shipped with IBM\u00ae Intelligent Operations Center (CVE-2019-17566)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17566"], "modified": "2020-08-27T17:38:17", "id": "11D50567E527C1FAA2CC7E5BFC7E0A144943437DED5DC6E20F8744DBB47E7648", "href": "https://www.ibm.com/support/pages/node/6323709", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-27T21:51:43", "description": "## Summary\n\nWebSphere Application Server is shipped as a component of IBM WebSphere Application Server Patterns. Information about security vulnerabilities affecting WebSphere Application Server have been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**\n\n| \n\n**Affected Supporting Product and Version** \n \n---|--- \nWebSphere Application Server Patterns, all versions| WebSphere Application Server: \n\n * 9.0\n * 8.5 \n \n \n\n\n## Remediation/Fixes\n\nPlease consult the following security bulletin for vulnerability details and information about fixes \n\n * [WebSphere Application Server is vulnerable to a remote code execution vulnerability (CVE-2020-4589)](<https://www.ibm.com/support/pages/node/6322683> \"WebSphere Application Server is vulnerable to a remote code execution vulnerability \\(CVE-2020-4589\\)\" )\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-08-26T14:19:37", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Batik affects WebSphere Application Server shipped with IBM WebSphere Application Server Patterns (CVE-2019-17566)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17566", "CVE-2020-4589"], "modified": "2020-08-26T14:19:37", "id": "0F297F5F87FAC22F33127BF32110D0C0B158B6859BCE9E0ED4EB35484AD06F6A", "href": "https://www.ibm.com/support/pages/node/6323235", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-27T21:51:13", "description": "## Summary\n\nIBM WebSphere Application Server (WAS) is shipped as a component of IBM Rational ClearCase. Information about security vulnerabilities affecting WAS have been published in security bulletins.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Rational ClearCase| 8.0.0 \nIBM Rational ClearCase| 9.0 \nIBM Rational ClearCase| 9.0.1 \nIBM Rational ClearCase| 9.0.2 \nIBM Rational ClearCase| 8.0.1 \n \n\n\n## Remediation/Fixes\n\nRefer to the following security bulletin(s) for vulnerability details and information about fixes addressed by IBM WebSphere Application Server (WAS) which is shipped with IBM Rational ClearCase. \n\n**Principal Product and Version(s)**| **Affected Supporting Product and Version**| **Affected Supporting Product Security Bulletin** \n---|---|--- \nIBM Rational ClearCase, versions 8.0.0.x, 8.0.1.x, 9.0.0.x, 9.0.1.x, 9.0.2.x| IBM WebSphere Application Server versions 7.0, 8.0, 8.5, and 9.0.| \n\n[Security Bulletin: Vulnerability in Apache Batik affects WebSphere Application Server (CVE-2019-17566)](<https://www.ibm.com/support/pages/node/6322683> \"Security Bulletin: Vulnerability in Apache Batik affects WebSphere Application Server \\(CVE-2019-17566\\)\" )\n\n[Security Bulletin: WebSphere Application Server ND is vulnerable to cross-site scripting (CVE-2020-4575)](<https://www.ibm.com/support/pages/node/6323293> \"Security Bulletin: WebSphere Application Server ND is vulnerable to cross-site scripting \\(CVE-2020-4575\\)\" ) \n \n**ClearCase Versions**\n\n| \n\n**Applying the fix** \n \n---|--- \n8.0.0.x, 8.0.1.x, 9.0.0.x, 9.0.1.x, 9.0.2.x| \n\n 1. Determine the WAS version used by your CCRC WAN server. Navigate to the CCRC profile directory (either the profile you specified when installing ClearCase, or `<ccase-home>/common/ccrcprofile`), then execute the script: `bin/versionInfo.sh `(UNIX) or `bin\\versionInfo.bat `(Windows). The output includes a section \"IBM WebSphere Application Server\". Make note of the version listed in this section. Check your installed version of IBM WebSphere Application Server against this bulletin's list of vulnerable versions.\n 2. Identify the latest available fixes (per the bulletin(s) listed above) for the version of WAS used for CCRC WAN server.\n 3. Apply the appropriate WebSphere Application Server fix directly to your CCRC WAN server host. No ClearCase-specific steps are necessary. \n \n_For 8.0.x and earlier releases, IBM recommends upgrading to a fixed, supported version/release/platform of the product._\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-09-08T13:53:04", "type": "ibm", "title": "Security Bulletin: Multiple security vulnerabilities have been identified in IBM WebSphere Application Server shipped with IBM Rational ClearCase (CVE-2019-17566, CVE-2020-4575)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17566", "CVE-2020-4575"], "modified": "2020-09-08T13:53:04", "id": "E619F0B12EAE67CCCEC5CE0326BC6EB363C3E94F87723AB21878B776DD8B0317", "href": "https://www.ibm.com/support/pages/node/6327363", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-27T21:51:41", "description": "## Summary\n\nWebSphere Application Server is shipped as a component of WebSphere Service Registry and Repository. Information about security vulnerabilities affecting WebSphere Application Server have been published in security bulletins.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| \n\nAffected Supporting Product and Version \n \n---|--- \n \nWebSphere Service Registry and Repository V8.5\n\n| \n\nWebSphere Application Server V8.5.5 \n \nWebSphere Service Registry and Repository V8.0\n\n| \n\nWebSphere Application Server V8.0 \n \n \n\n\n## Remediation/Fixes\n\nRefer to the following security bulletins for vulnerability details and information about fixes: \n\n * [Security Bulletin: WebSphere Application Server is vulnerable to a remote code execution vulnerability (CVE-2020-4589)](<https://www.ibm.com/support/pages/security-bulletin-websphere-application-server-vulnerable-remote-code-execution-vulnerability-cve-2020-4589> \"Security Bulletin: WebSphere Application Server is vulnerable to a remote code execution vulnerability \\(CVE-2020-4589\\)\" )\n * [Security Bulletin: Vulnerability in Apache Batik affects WebSphere Application Server (CVE-2019-17566)](<https://www.ibm.com/support/pages/node/6322683> \"Security Bulletin: Vulnerability in Apache Batik affects WebSphere Application Server \\(CVE-2019-17566\\)\" )\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-08-26T16:15:24", "type": "ibm", "title": "Security Bulletin: Security vulnerabilities have been identified in WebSphere Application Server shipped with WebSphere Service Registry and Repository (CVE-2020-4589 and CVE-2019-17566)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17566", "CVE-2020-4589"], "modified": "2020-08-26T16:15:24", "id": "77D1D444B20370DE0EDFF23D9E385D851AC796623E4D85D114F6A8AA31FAB59A", "href": "https://www.ibm.com/support/pages/node/6323269", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-27T21:51:13", "description": "## Summary\n\nIBM WebSphere Application Server (WAS) is used by the IBM Rational ClearQuest server and web components. Information about security vulnerabilities affecting WAS have been published in multiple security bulletins. \n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s) | Version(s) \n---|--- \nIBM Rational ClearQuest | 8.0.1 \nIBM Rational ClearQuest | 9.0.2 \nIBM Rational ClearQuest | 8.0.0 \nIBM Rational ClearQuest | 9.0 \nIBM Rational ClearQuest | 9.0.1 \n \n## Remediation/Fixes\n\nRefer to the following security bulletin(s) for vulnerability details and information about fixes addressed by IBM WebSphere Application Server (WAS), which is used by IBM Rational ClearQuest. \n\n**Principal Product and Version(s)** | **Affected Supporting Product and Version** | **Affected Supporting Product Security Bulletin** \n---|---|--- \nIBM Rational ClearQuest, versions 8.0.0.x, 8.0.1.x, 9.0.0.x, 9.0.1.x, 9.0.2.x | IBM WebSphere Application Server versions 7.0, 8.0, 8.5 and 9.0. | \n\n[Security Bulletin: WebSphere Application Server is vulnerable to a remote code execution vulnerability (CVE-2020-4589)](<https://www.ibm.com/support/pages/node/6258333> \"Security Bulletin: WebSphere Application Server is vulnerable to a remote code execution vulnerability \\(CVE-2020-4589\\)\" )\n\n[Security Bulletin: Vulnerability in Apache Batik affects WebSphere Application Server (CVE-2019-17566)](<https://www.ibm.com/support/pages/node/6322683> \"Security Bulletin: Vulnerability in Apache Batik affects WebSphere Application Server \\(CVE-2019-17566\\)\" )\n\n[Security Bulletin: WebSphere Application Server ND is vulnerable to cross-site scripting (CVE-2020-4575)](<https://www.ibm.com/support/pages/node/6323293> \"Security Bulletin: WebSphere Application Server ND is vulnerable to cross-site scripting \\(CVE-2020-4575\\)\" ) \n \n**ClearQuest Versions**\n\n| \n\n**Applying the fix** \n \n---|--- \n8.0.0.x, 8.0.1.x, 9.0.0.x, 9.0.1.x, 9.0.2.x | Apply the appropriate IBM WebSphere Application Server fix (see bulletin link above) directly to your CM server host. No ClearQuest-specific steps are necessary. \n \n_For 8.0.x, 7.0.x, 7.1.x and earlier releases, IBM recommends upgrading to a fixed, supported version/release/platform of the product._\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-09-08T14:11:24", "type": "ibm", "title": "Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server used by IBM Rational ClearQuest", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17566", "CVE-2020-4575", "CVE-2020-4589"], "modified": "2020-09-08T14:11:24", "id": "EB600CE5395CD89BA24F74E48B91CAA92CF18E64A90B1514E5930A42BF80F58A", "href": "https://www.ibm.com/support/pages/node/6327357", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-27T21:48:12", "description": "## Summary\n\nFix is available for vulnerabilities in Apache Batik affecting Tivoli Netcool/OMNIbus WebGUI (CVE-2017-5662, CVE-2018-8013, CVE-2015-0250, CVE-2019-17566).\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-17566](<https://vulners.com/cve/CVE-2019-17566>) \n** DESCRIPTION: **Apache Batik is vulnerable to server-side request forgery, caused by improper input validation by the \"xlink:href\" attributes. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/183402](<https://exchange.xforce.ibmcloud.com/vulnerabilities/183402>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) \n \n** CVEID: **[CVE-2017-5662](<https://vulners.com/cve/CVE-2017-5662>) \n** DESCRIPTION: **Apache Batik could allow a remote authenticated attacker to obtain sensitive information, caused by an XML external entity (XXE) error when processing XML data. By using a specially-crafted SVG file, a remote attacker could exploit this vulnerability to obtain sensitive information or possibly cause a denial of service. \nCVSS Base score: 6.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/125198](<https://exchange.xforce.ibmcloud.com/vulnerabilities/125198>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L) \n \n** CVEID: **[CVE-2018-8013](<https://vulners.com/cve/CVE-2018-8013>) \n** DESCRIPTION: **Apache Batik could allow a remote attacker to obtain sensitive information, caused by an error when deserializing subclass of `AbstractDocument`. An attacker could exploit this vulnerability to reveal files and obtain sensitive information. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/143678](<https://exchange.xforce.ibmcloud.com/vulnerabilities/143678>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2015-0250](<https://vulners.com/cve/CVE-2015-0250>) \n** DESCRIPTION: **Apache Batik could allow a remote attacker to obtain sensitive information. By persuading a victim to open a specially-crafted SVG file, an attacker could exploit this vulnerability to reveal files and obtain sensitive information. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/101614](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101614>) for the current score. \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Tivoli Netcool/OMNIbus_GUI| 8.1.x \n \n## Remediation/Fixes\n\n** Product**| ** VRMF**| ** APAR**| ** Remediation/First Fix** \n---|---|---|--- \nTivoli Netcool/OMNIbus WebGUI| 8.1.0| IJ29150| Apply Fix Pack 21 \n([Fix Pack for WebGUI 8.1.0 Fix Pack 21](<https://www.ibm.com/support/pages/node/6335675> \"Fix Pack for WebGUI 8.1.0 Fix Pack 21\" )) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-12-15T13:01:33", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in Apache Batik affect Tivoli Netcool/OMNIbus WebGUI (CVE-2017-5662, CVE-2018-8013, CVE-2015-0250, CVE-2019-17566)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.9, "vectorString": "AV:N/AC:M/Au:S/C:C/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 9.2, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0250", "CVE-2017-5662", "CVE-2018-8013", "CVE-2019-17566"], "modified": "2020-12-15T13:01:33", "id": "EBBA69401956060B98C4FDDE1CDAAA10D09B28A527F8C5C2F8D2998B16B675C4", "href": "https://www.ibm.com/support/pages/node/6382228", "cvss": {"score": 7.9, "vector": "AV:N/AC:M/Au:S/C:C/I:N/A:C"}}, {"lastseen": "2023-02-27T21:49:42", "description": "## Summary\n\nJazz for Service Management is affected with multiple vulnerabilities (CVE-2015-4852, CVE-2015-6420, CVE-2017-15708)\n\n## Vulnerability Details\n\n**CVEID: **CVE-2017-15708 \n**DESCRIPTION: **In Apache Synapse, by default no authentication is required for Java Remote Method Invocation (RMI). So Apache Synapse 3.0.1 or all previous releases (3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1) allows remote code execution attacks that can be performed by injecting specially crafted serialized objects. And the presence of Apache Commons Collections 3.2.1 (commons-collections-3.2.1.jar) or previous versions in Synapse distribution makes this exploitable. To mitigate the issue, we need to limit RMI access to trusted users only. Further upgrading to 3.0.1 version will eliminate the risk of having said Commons Collection version. In Synapse 3.0.1, Commons Collection has been updated to 3.2.2 version\n\n**CVEID: **[](<https://vulners.com/cve/CVE-2019-17566>)CVE-2015-6420[](<https://vulners.com/cve/CVE-2019-17566>) \n**DESCRIPTION: ** Serialized-object interfaces in certain Cisco Collaboration and Social Media; Endpoint Clients and Clien t Software; Network Application, Service, and Acceleration; Network and Content Security Devices; Net work Management and Provisioning; Routing and Switching - Enterprise and Service Provider; Unified Computing; Voice and Unified Communications Devices; Video, Streaming, TelePresence, and Transco ding Devices; Wireless; and Cisco Hosted Services products allow remote attackers to execute arbitrar y commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library\n\n**CVEID: **CVE-2015-4852 \n**DESCRIPTION: ** The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 all ows remote attackers to execute arbitrary commands via a crafted serialized Java object in T3 protocol traffic to TCP port 7001, related to oracle_common/modules/com.bea.core.apache.commons.collection s.jar. NOTE: the scope of this CVE is limited to the WebLogic Server product.\n\n## Affected Products and Versions\n\n## Affected JazzSM versions\n\nAffected Product(s) | Version(s) \n---|--- \nJazz for Service Management | 1.1.3 - 1.1.3.8 \n \n## Remediation/Fixes\n\n1\\. Upgrade IBM Websphere Application Server (WAS) version to v8.5.5.17 or v8.5.5.18\n\n2\\. Move commons-collections.jar file from below path to another safe location \n\n<JazzSM Installed Location>/profile/installedApps/JazzSMNode01Cell/isc.ear\n\n3\\. Copy commons-collections.jar file from folder <WAS Installed Location>/systemApps/isclite.ear to <JazzSM Installed Location>/profile/installedApps/JazzSMNode01Cell/isc.ear\n\n4\\. Restart JazzSM profile server\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-10-20T11:33:26", "type": "ibm", "title": "Security Bulletin: IBM Jazz for Service Management (JazzSM) is affected with multiple vulnerabilities (CVE-2015-4852, CVE-2015-6420, CVE-2017-15708)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-4852", "CVE-2015-6420", "CVE-2017-15708", "CVE-2019-17566"], "modified": "2020-10-20T11:33:26", "id": "44D4BE9C6B3A5CA2D7E393A0C6B1DE6752C9B6BDF8F6BC23CA690D4063D3152B", "href": "https://www.ibm.com/support/pages/node/6350069", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-27T21:48:28", "description": "## Summary\n\nIBM WebSphere Application Server is shipped with IBM Tivoli Federated Identity Manager. Information about security vulnerabilities affecting IBM WebSphere Application Server have been published in security bulletins. \n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Tivoli Federated Identity Manager| All \n \n\n\n## Remediation/Fixes\n\nPrincipal Product and Versions| Affected Supporting Product and versions| Affected Supporting Product Security Bulletin \n---|---|--- \nIBM Tivoli Federated Identity Manager 6.2.x| IBM WebSphere Application Server 7.0, 8.0, 8.5| [WebSphere Application Server Admin Console is vulnerable to cross-site scripting (CVE-2020-4578)](<https://www.ibm.com/support/pages/node/6328895> \"WebSphere Application Server Admin Console is vulnerable to cross-site scripting \\(CVE-2020-4578\\)\" ) \nIBM Tivoli Federated Identity Manager 6.2.x| IBM WebSphere Application Server 7.0, 8.0, 8.5| [WebSphere Application Server is vulnerable to an information exposure vulnerability (CVE-2020-4643)](<https://www.ibm.com/support/pages/node/6334311> \"WebSphere Application Server is vulnerable to an information exposure vulnerability \\(CVE-2020-4643\\)\" ) \nIBM Tivoli Federated Identity Manager 6.2.x| IBM WebSphere Application Server 7.0, 8.0, 8.5| [WebSphere Application Server is vulnerable to an information disclosure vulnerability (CVE-2020-4629)](<https://www.ibm.com/support/pages/node/6339255> \"WebSphere Application Server is vulnerable to an information disclosure vulnerability \\(CVE-2020-4629\\)\" ) \nIBM Tivoli Federated Identity Manager 6.2.x| IBM WebSphere Application Server 7.0, 8.0, 8.5| [WebSphere Application Server is vulnerable to an information disclosure vulnerability (CVE-2020-4576)](<https://www.ibm.com/support/pages/node/6339807> \"WebSphere Application Server is vulnerable to an information disclosure vulnerability \\(CVE-2020-4576\\)\" ) \nIBM Tivoli Federated Identity Manager 6.2.x| IBM WebSphere Application Server 7.0, 8.0, 8.5| [Vulnerability in Apache Batik affects WebSphere Application Server (CVE-2019-17566)](<https://www.ibm.com/support/pages/node/6322683> \"Vulnerability in Apache Batik affects WebSphere Application Server \\(CVE-2019-17566\\)\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-12-09T16:14:35", "type": "ibm", "title": "Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server shipped with IBM Tivoli Federated Identity Manager", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17566", "CVE-2020-4576", "CVE-2020-4578", "CVE-2020-4629", "CVE-2020-4643"], "modified": "2020-12-09T16:14:35", "id": "9770323F532BB10EA2CF6AA35FD83A103279F223480B36A5D157CEB2FDA4B9D8", "href": "https://www.ibm.com/support/pages/node/6380352", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-27T21:50:28", "description": "## Summary\n\nWebSphere Application Server is shipped with IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise. Vulnerabilities have been identified in WebSphere Application Server and the information about their fixes are published in security bulletins. \n\n## Vulnerability Details\n\n** CVEID: **[CVE-2020-4589](<https://vulners.com/cve/CVE-2020-4589>) \n** DESCRIPTION: **IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to execute arbitrary code on the system with a specially-crafted sequence of serialized objects from untrusted sources. IBM X-Force ID: 184585. \nCVSS Base score: 8.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/184585](<https://exchange.xforce.ibmcloud.com/vulnerabilities/184585>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-4534](<https://vulners.com/cve/CVE-2020-4534>) \n** DESCRIPTION: **IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a local authenticated attacker to gain elevated privileges on the system, caused by improper handling of UNC paths. By scheduling a task with a specially-crafted UNC path, an attacker could exploit this vulnerability to execute arbitrary code with higher privileges. IBM X-Force ID: 182808. \nCVSS Base score: 7.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/182808](<https://exchange.xforce.ibmcloud.com/vulnerabilities/182808>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-4575](<https://vulners.com/cve/CVE-2020-4575>) \n** DESCRIPTION: **IBM WebSphere Application Server ND 8.5 and 9.0, and IBM WebSphere Virtual Enterprise 7.0 and 8.0 are vulnerable to cross-site scripting when High Availability Deployment Manager is configured. \nCVSS Base score: 4.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/184363](<https://exchange.xforce.ibmcloud.com/vulnerabilities/184363>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2020-4643](<https://vulners.com/cve/CVE-2020-4643>) \n** DESCRIPTION: **IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information. IBM X-Force ID: 185590. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/185590](<https://exchange.xforce.ibmcloud.com/vulnerabilities/185590>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2020-4578](<https://vulners.com/cve/CVE-2020-4578>) \n** DESCRIPTION: **IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 184433. \nCVSS Base score: 5.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/184433](<https://exchange.xforce.ibmcloud.com/vulnerabilities/184433>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2019-17566](<https://vulners.com/cve/CVE-2019-17566>) \n** DESCRIPTION: **Apache Batik is vulnerable to server-side request forgery, caused by improper input validation by the \"xlink:href\" attributes. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/183402](<https://exchange.xforce.ibmcloud.com/vulnerabilities/183402>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nCloud Orchestrator| 2.5.0.10 \n \n\n\n## Remediation/Fixes\n\nThe recommended solution is to manually upgrade to the appropriate WebSphere Application Server Interim Fix on IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise 2.5.0.10. \n\nConsult the following WebSphere Application Server security bulletins for the vulnerability details and information about their fixes:\n\n[Security Bulletin: Vulnerability in Apache Batik affects WebSphere Application Server (CVE-2019-17566)](<https://www.ibm.com/support/pages/node/6322683> \"Security Bulletin: Vulnerability in Apache Batik affects WebSphere Application Server \\(CVE-2019-17566\\)\" )\n\n[Security Bulletin: WebSphere Application Server is vulnerable to an information exposure vulnerability (CVE-2020-4643)](<https://www.ibm.com/support/pages/node/6334311> \"Security Bulletin: WebSphere Application Server is vulnerable to an information exposure vulnerability \\(CVE-2020-4643\\)\" )\n\n[Security Bulletin: WebSphere Application Server ND is vulnerable to cross-site scripting (CVE-2020-4575)](<https://www.ibm.com/support/pages/node/6323293> \"Security Bulletin: WebSphere Application Server ND is vulnerable to cross-site scripting \\(CVE-2020-4575\\)\" )\n\n[Security Bulletin: WebSphere Application Server is vulnerable to a remote code execution vulnerability (CVE-2020-4534)](<https://www.ibm.com/support/pages/node/6255074> \"Security Bulletin: WebSphere Application Server is vulnerable to a remote code execution vulnerability \\(CVE-2020-4534\\)\" )\n\n[Security Bulletin: WebSphere Application Server Admin Console is vulnerable to cross-site scripting (CVE-2020-4578)](<https://www.ibm.com/support/pages/node/6328895> \"Security Bulletin: WebSphere Application Server Admin Console is vulnerable to cross-site scripting \\(CVE-2020-4578\\)\" )\n\n[Security Bulletin: WebSphere Application Server is vulnerable to a remote code execution vulnerability (CVE-2020-4589)](<https://www.ibm.com/support/pages/node/6258333> \"Security Bulletin: WebSphere Application Server is vulnerable to a remote code execution vulnerability \\(CVE-2020-4589\\)\" )\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-09-29T09:51:50", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in WebSphere Application Server affect IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17566", "CVE-2020-4534", "CVE-2020-4575", "CVE-2020-4578", "CVE-2020-4589", "CVE-2020-4643"], "modified": "2020-09-29T09:51:50", "id": "B9609A42BFED86C36189258C748597C29F9D824D3DD52ECECFEEA902FDA884B1", "href": "https://www.ibm.com/support/pages/node/6339089", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-27T21:49:44", "description": "## Summary\n\nIBM WebSphere Application Server is shipped with IBM Predictive Maintenance and Quality and Predictive Maintenance Insights On-Premises. Vulnerabilities have been identified in WebSphere Application Server and the information about their fixes are published in security bulletins. \n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nIBM Maximo APM - Predictive Maintenance Insights On-Premises| All \n---|--- \nIBM Predictive Maintenance and Quality| All \n \n\n\n## Remediation/Fixes\n\nThe recommended solution is to manually upgrade to the appropriate WebSphere Application Server Interim Fix on IBM Predictive Maintenance and Quality and Predictive Maintenance Insights On-Premises. \n\nConsult the following WebSphere Application Server security bulletins for the vulnerability details and information about their fixes:\n\n[Security Bulletin: WebSphere Application Server is vulnerable to a remote code execution vulnerability (CVE-2020-4589)](<https://www.ibm.com/support/pages/node/6258333> \"Security Bulletin: WebSphere Application Server is vulnerable to a remote code execution vulnerability \\(CVE-2020-4589\\)\" )\n\n[Security Bulletin: Vulnerability in Apache Batik affects WebSphere Application Server (CVE-2019-17566)](<https://www.ibm.com/support/pages/node/6322683> \"Security Bulletin: Vulnerability in Apache Batik affects WebSphere Application Server \\(CVE-2019-17566\\)\" )\n\n[Security Bulletin: WebSphere Application Server is vulnerable to an information exposure vulnerability (CVE-2020-4643)](<https://www.ibm.com/support/pages/node/6334311> \"Security Bulletin: WebSphere Application Server is vulnerable to an information exposure vulnerability \\(CVE-2020-4643\\)\" )\n\n[Security Bulletin: WebSphere Application Server ND is vulnerable to cross-site scripting (CVE-2020-4575)](<https://www.ibm.com/support/pages/node/6323293> \"Security Bulletin: WebSphere Application Server ND is vulnerable to cross-site scripting \\(CVE-2020-4575\\)\" )\n\n[Security Bulletin: WebSphere Application Server Admin Console is vulnerable to cross-site scripting (CVE-2020-4578)](<https://www.ibm.com/support/pages/node/6328895> \"Security Bulletin: WebSphere Application Server Admin Console is vulnerable to cross-site scripting \\(CVE-2020-4578\\)\" )\n\n[Security Bulletin: Denial of service vulnerability in WebSphere Application Server Liberty (CVE-2020-4590)](<https://www.ibm.com/support/pages/node/6333623> \"Security Bulletin: Denial of service vulnerability in WebSphere Application Server Liberty \\(CVE-2020-4590\\)\" )\n\n[Security Bulletin: WebSphere Application Server is vulnerable to an information disclosure vulnerability (CVE-2020-4576)](<https://www.ibm.com/support/pages/node/6339807> \"Security Bulletin: WebSphere Application Server is vulnerable to an information disclosure vulnerability \\(CVE-2020-4576\\)\" )\n\n[Security Bulletin: WebSphere Application Server is vulnerable to an information disclosure vulnerability (CVE-2020-4629)](<https://www.ibm.com/support/pages/node/6339255> \"Security Bulletin: WebSphere Application Server is vulnerable to an information disclosure vulnerability \\(CVE-2020-4629\\)\" )\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-10-19T15:09:06", "type": "ibm", "title": "Security Bulletin: Multiple security vulnerabilities in WebSphere Application Server affect Predictive Maintenance and Quality and Predictive Maintenance Insights", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17566", "CVE-2020-4575", "CVE-2020-4576", "CVE-2020-4578", "CVE-2020-4589", "CVE-2020-4590", "CVE-2020-4629", "CVE-2020-4643"], "modified": "2020-10-19T15:09:06", "id": "0BDDBA484F3367829DBE683BE155B8F63CE6E7CF5747401F154DB308D91D8FD4", "href": "https://www.ibm.com/support/pages/node/6349573", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-28T21:36:28", "description": "## Summary\n\nMultiple vulnerabilities (CVE-2009-4521; CVE-2015-0250; CVE-2017-5662; CVE-2018-8013; CVE-2019-17566; CVE-2020-11987; CVE-2009-4269; CVE-2009-4521; CVE-2009-4521; CVE-2009-4521; CVE-2009-4521; CVE-2009-4521; CVE-2021-41033) found in TCRtoolkit component present in IBM Tivoli Network Manager (ITNM) IP Edition. The fix contains the removal of affected component from ITNM.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2009-4521](<https://vulners.com/cve/CVE-2009-4521>) \n** DESCRIPTION: **Eclipse BIRT is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the report viewer. A remote attacker could exploit this vulnerability using the __report parameter to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. Note: KonaKart uses BIRT and is also vulnerable. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/53773](<https://exchange.xforce.ibmcloud.com/vulnerabilities/53773>) for the current score. \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n \n** CVEID: **[CVE-2015-0250](<https://vulners.com/cve/CVE-2015-0250>) \n** DESCRIPTION: **Apache Batik could allow a remote attacker to obtain sensitive information. By persuading a victim to open a specially-crafted SVG file, an attacker could exploit this vulnerability to reveal files and obtain sensitive information. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/101614](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101614>) for the current score. \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) \n \n** CVEID: **[CVE-2017-5662](<https://vulners.com/cve/CVE-2017-5662>) \n** DESCRIPTION: **Apache Batik could allow a remote authenticated attacker to obtain sensitive information, caused by an XML external entity (XXE) error when processing XML data. By using a specially-crafted SVG file, a remote attacker could exploit this vulnerability to obtain sensitive information or possibly cause a denial of service. \nCVSS Base score: 6.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/125198](<https://exchange.xforce.ibmcloud.com/vulnerabilities/125198>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L) \n \n** CVEID: **[CVE-2018-8013](<https://vulners.com/cve/CVE-2018-8013>) \n** DESCRIPTION: **Apache Batik could allow a remote attacker to obtain sensitive information, caused by an error when deserializing subclass of `AbstractDocument`. An attacker could exploit this vulnerability to reveal files and obtain sensitive information. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/143678](<https://exchange.xforce.ibmcloud.com/vulnerabilities/143678>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2019-17566](<https://vulners.com/cve/CVE-2019-17566>) \n** DESCRIPTION: **Apache Batik is vulnerable to server-side request forgery, caused by improper input validation by the \"xlink:href\" attributes. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/183402](<https://exchange.xforce.ibmcloud.com/vulnerabilities/183402>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) \n \n** CVEID: **[CVE-2020-11987](<https://vulners.com/cve/CVE-2020-11987>) \n** DESCRIPTION: **Apache XML Graphics Batik is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to conduct SSRF attack to cause the underlying server to make arbitrary GET requests. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/197372](<https://exchange.xforce.ibmcloud.com/vulnerabilities/197372>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2009-4269](<https://vulners.com/cve/CVE-2009-4269>) \n** DESCRIPTION: **Apache Derby could allow a remote attacker to obtain sensitive information, caused by the reduction of the size of the set of inputs to SHA-1 by the password hash generation algorithm managed by the BUILTIN authentication functionality. By generating hash collisions, a remote attacker could exploit this vulnerability to crack passwords and obtain sensitive information. \nCVSS Base score: 2.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/61202](<https://exchange.xforce.ibmcloud.com/vulnerabilities/61202>) for the current score. \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N) \n \n** CVEID: **[CVE-2021-41033](<https://vulners.com/cve/CVE-2021-41033>) \n** DESCRIPTION: **Eclipse Equinox is vulnerable to a man-in-the-middle attack, caused by the use unencrypted HTTP communication in p2 repos. An attacker could exploit this vulnerability to launch a man-in-the-middle attack and gain access to the communication channel between endpoints to alter the local installation, and execute arbitrary code on the system. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/209186](<https://exchange.xforce.ibmcloud.com/vulnerabilities/209186>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nITNM| 4.2 GA through to 4.2.0.15 \n \n\n\n## Remediation/Fixes\n\nThe issue has been Fixed in ITNM 4.2 Fix Pack 16 (i.e. 4.2.0.16). Upgrade ITNM 4.2 to Fix Pack 16 from Fix Central. \n\n[4.2.0-TIV-ITNMIP-Linux-FP0016](<https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FTivoli%2FTivoli+Network+Manager+IP+Edition&fixids=4.2.0-TIV-ITNMIP-Linux-FP0016&source=SAR&function=fixId&parent=ibm/Tivoli> \"4.2.0-TIV-ITNMIP-Linux-FP0016\" )\n\n[4.2.0-TIV-ITNMIP-zLinux-FP0016](<https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FTivoli%2FTivoli+Network+Manager+IP+Edition&fixids=4.2.0-TIV-ITNMIP-zLinux-FP0016&source=SAR&function=fixId&parent=ibm/Tivoli> \"4.2.0-TIV-ITNMIP-Linux-FP0016\" )\n\n[4.2.0-TIV-ITNMIP-AIX-FP0016](<https://www.ibm.com/support/fixcentral/swg/selectFix?product=ibm%2FTivoli%2FTivoli+Network+Manager+IP+Edition&fixids=4.2.0-TIV-ITNMIP-AIX-FP0016&source=SAR&function=fixId&parent=ibm/Tivoli> \"4.2.0-TIV-ITNMIP-Linux-FP0016\" )\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-04T15:55:01", "type": "ibm", "title": "Security Bulletin: Multiple Vulnerabilities discovered in libraries used by TCRtoolkit in ITNM", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.9, "vectorString": "AV:N/AC:M/Au:S/C:C/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 9.2, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-4269", "CVE-2009-4521", "CVE-2015-0250", "CVE-2017-5662", "CVE-2018-8013", "CVE-2019-17566", "CVE-2020-11987", "CVE-2021-41033"], "modified": "2023-01-04T15:55:01", "id": "66886B86D22AD162D05F9B987C32085ED4A1AA2754E87D356E718DE087B7313A", "href": "https://www.ibm.com/support/pages/node/6852611", "cvss": {"score": 7.9, "vector": "AV:N/AC:M/Au:S/C:C/I:N/A:C"}}, {"lastseen": "2023-02-27T21:48:58", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM WebSphere Application Server and WebSphere Application Server Liberty that affect IBM Engineering Products based on IBM Jazz technology. \n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nRQM| 6.0.6.1 \nRQM| 6.0.6 \nETM| 7.0.0 \nRQM| 6.0.2 \nETM| 7.0.1 \nRhapsody DM| 6.0.6 \nRhapsody DM| 6.0.6.1 \nRhapsody DM| 6.0.2 \nRDM| 7.0 \nRDM| 7.0.1 \nRTC| 6.0.2 \nRTC| 6.0.6.1 \nEWM| 7.0 \nRTC| 6.0.6 \nEWM| 7.0.1 \nCLM| 6.0.2 \nCLM| 6.0.6 \nCLM| 6.0.6.1 \nELM| 7.0 \nELM| 7.0.1 \nRDNG| 6.0.2 \nRDNG| 6.0.6 \nRDNG| 6.0.6.1 \nDOORS Next| 7.0 \nDOORS Next| 7.0.1 \n \n \n\n\n## Remediation/Fixes\n\nThe IBM Jazz Team Server based Applications bundle different versions of IBM WebSphere Application Server with the available versions of the products, and in addition to the bundled version, some previous versions of WAS are also supported. Information about a security vulnerability affecting WAS has been published. \n\nFor ELM applications version 6.0 to 7.0.2 review the Security Bulletin below to determine if your WAS version is affected and the required remediation:\n\n[Security Bulletin: WebSphere Application Server is vulnerable to an information disclosure vulnerability (CVE-2020-4576)](<https://www.ibm.com/support/pages/node/6339807>)\n\n[Security Bulletin: WebSphere Application Server is vulnerable to an information disclosure vulnerability (CVE-2020-4629)](<https://www.ibm.com/support/pages/node/6339255>)\n\n[Security Bulletin: WebSphere Application Server is vulnerable to an information exposure vulnerability (CVE-2020-4643)](<https://www.ibm.com/support/pages/node/6334311>)\n\n[Security Bulletin: Denial of service vulnerability in WebSphere Application Server Liberty (CVE-2020-4590)](<https://www.ibm.com/support/pages/node/6333623>)\n\n[Security Bulletin: WebSphere Application Server ND is vulnerable to cross-site scripting (CVE-2020-4575)](<https://www.ibm.com/support/pages/node/6323293>)\n\n[Security Bulletin: WebSphere Application Server Admin Console is vulnerable to cross-site scripting (CVE-2020-4578)](<https://www.ibm.com/support/pages/node/6328895>)\n\n[Security Bulletin: Vulnerability in Hibernate Validator affects WebSphere Application Server Liberty (CVE-2020-10693)](<https://www.ibm.com/support/pages/node/6348216>)\n\n[Security Bulletin: Vulnerability in Apache Batik affects WebSphere Application Server (CVE-2019-17566)](<https://www.ibm.com/support/pages/node/6322683>)\n\n[Security Bulletin: WebSphere Application Server is vulnerable to a remote code execution vulnerability (CVE-2020-4589)](<https://www.ibm.com/support/pages/node/6258333>)\n\n[Security Bulletin: WebSphere Application Server Admin Console is vulnerable to a directory traversal vulnerability (CVE-2020-4782)](<https://www.ibm.com/support/pages/node/6356083>)\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-11-12T15:45:10", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM WebSphere Appilcation Server and WebSphere Application Server Liberty affects IBM Engineering ELM products based on IBM Jazz technology.", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17566", "CVE-2020-10693", "CVE-2020-4575", "CVE-2020-4576", "CVE-2020-4578", "CVE-2020-4589", "CVE-2020-4590", "CVE-2020-4629", "CVE-2020-4643", "CVE-2020-4782"], "modified": "2020-11-12T15:45:10", "id": "4F83B26494F5C02A937F66487471A788F350B0FE1D9EABC80254DB502CA97A51", "href": "https://www.ibm.com/support/pages/node/6367285", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-27T21:35:16", "description": "## Summary\n\nThe following security issues have been identified in the WebSphere Application Server and IHS server included as part of IBM Tivoli Monitoring (ITM) portal server.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2020-4578](<https://vulners.com/cve/CVE-2020-4578>) \n** DESCRIPTION: **IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 184433. \nCVSS Base score: 5.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/184433](<https://exchange.xforce.ibmcloud.com/vulnerabilities/184433>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2020-4643](<https://vulners.com/cve/CVE-2020-4643>) \n** DESCRIPTION: **IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information. IBM X-Force ID: 185590. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/185590](<https://exchange.xforce.ibmcloud.com/vulnerabilities/185590>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2020-4464](<https://vulners.com/cve/CVE-2020-4464>) \n** DESCRIPTION: **IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 traditional could allow a remote attacker to execute arbitrary code on a system with a specially-crafted sequence of serialized objects over the SOAP connector. IBM X-Force ID: 181489. \nCVSS Base score: 8.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181489](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181489>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-4362](<https://vulners.com/cve/CVE-2020-4362>) \n** DESCRIPTION: **IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 traditional is vulnerable to a privilege escalation vulnerability when using token-based authentication in an admin request over the SOAP connector. IBM X-Force ID: 178929. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/178929](<https://exchange.xforce.ibmcloud.com/vulnerabilities/178929>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2019-17566](<https://vulners.com/cve/CVE-2019-17566>) \n** DESCRIPTION: **Apache Batik is vulnerable to server-side request forgery, caused by improper input validation by the \"xlink:href\" attributes. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/183402](<https://exchange.xforce.ibmcloud.com/vulnerabilities/183402>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) \n \n** CVEID: **[CVE-2020-4365](<https://vulners.com/cve/CVE-2020-4365>) \n** DESCRIPTION: **IBM WebSphere Application Server 8.5 is vulnerable to server-side request forgery. By sending a specially crafted request, a remote authenticated attacker could exploit this vulnerability to obtain sensitive data. IBM X-Force ID: 178964. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/178964](<https://exchange.xforce.ibmcloud.com/vulnerabilities/178964>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2020-4276](<https://vulners.com/cve/CVE-2020-4276>) \n** DESCRIPTION: **IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 traditional is vulnerable to a privilege escalation vulnerability when using token-based authentication in an admin request over the SOAP connector. X-Force ID: 175984. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/175984](<https://exchange.xforce.ibmcloud.com/vulnerabilities/175984>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-4534](<https://vulners.com/cve/CVE-2020-4534>) \n** DESCRIPTION: **IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a local authenticated attacker to gain elevated privileges on the system, caused by improper handling of UNC paths. By scheduling a task with a specially-crafted UNC path, an attacker could exploit this vulnerability to execute arbitrary code with higher privileges. IBM X-Force ID: 182808. \nCVSS Base score: 7.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/182808](<https://exchange.xforce.ibmcloud.com/vulnerabilities/182808>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-4329](<https://vulners.com/cve/CVE-2020-4329>) \n** DESCRIPTION: **IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0 and Liberty 17.0.0.3 through 20.0.0.4 could allow a remote, authenticated attacker to obtain sensitive information, caused by improper parameter checking. This could be exploited to conduct spoofing attacks. IBM X-Force ID: 177841. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/177841](<https://exchange.xforce.ibmcloud.com/vulnerabilities/177841>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2020-4449](<https://vulners.com/cve/CVE-2020-4449>) \n** DESCRIPTION: **IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 traditional could allow a remote attacker to obtain sensitive information with a specially-crafted sequence of serialized objects. IBM X-Force ID: 181230. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181230](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181230>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2019-4720](<https://vulners.com/cve/CVE-2019-4720>) \n** DESCRIPTION: **IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to a denial of service, caused by sending a specially-crafted request. A remote attacker could exploit this vulnerability to cause the server to consume all available memory. IBM X-Force ID: 172125. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/172125](<https://exchange.xforce.ibmcloud.com/vulnerabilities/172125>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Tivoli Monitoring| 6.3.0 Fix Pack 7 Service Pack 5 (or later Service Pack) \n \n## Remediation/Fixes\n\nFix| VRMF| Remediation/Fix \n---|---|--- \n6.X.X-TIV-ITM_TEPS_EWAS-IHS_ALL_8.55.18.01| 6.3.0.x | <https://www.ibm.com/support/pages/node/6350173> \n \n \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-12-30T17:31:59", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities affect IBM Tivoli Monitoring embedded WebSphere Application and IHS server", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17566", "CVE-2019-4720", "CVE-2020-4276", "CVE-2020-4329", "CVE-2020-4362", "CVE-2020-4365", "CVE-2020-4449", "CVE-2020-4464", "CVE-2020-4534", "CVE-2020-4578", "CVE-2020-4643"], "modified": "2022-12-30T17:31:59", "id": "D794EA27CA7E3FF8825CDCEFF3439F08F1C4C2B94C2E54C22629BF94087D371F", "href": "https://www.ibm.com/support/pages/node/6351443", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-02-27T21:50:09", "description": "## Summary\n\nIBM WebSphere Application Server is shipped with Tivoli Access Manager for e-business. Information about security vulnerabilities affecting IBM WebSphere Application Server have been published in a security bulletin\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s)\n\n| \n\nVersion(s) \n \n---|--- \n \nIBM Tivoli Access Manager for e-business\n\n| \n\n6.1.1.x \n \nIBM Tivoli Access Manager for e-business\n\n| \n\n6.1.x \n \n \n\n\n## Remediation/Fixes\n\nPrincipal Product and Versions| Affected Supporting Product and Versions| Affected Supporting Product Security Bulletins \n---|---|--- \nIBM Tivoli Access Manager for e-business 6.1.x, 6.1.1.x| IBM WebSphere Application Server 7.0, 8.0| [Security Bulletin: WebSphere Application Server ND is vulnerable to cross-site scripting (CVE-2020-4575)](<https://www.ibm.com/support/pages/node/6323293> \"Security Bulletin: WebSphere Application Server ND is vulnerable to cross-site scripting \\(CVE-2020-4575\\)\" )\n\n[Security Bulletin: Remote code execution vulnerability in WebSphere Application Server ND (CVE-2020-4448)](<https://www.ibm.com/support/pages/node/6220336> \"Security Bulletin: Remote code execution vulnerability in WebSphere Application Server ND \\(CVE-2020-4448\\)\" )\n\n[Security Bulletin: WebSphere Application Server is vulnerable to a remote code execution vulnerability (CVE-2020-4589)](<https://www.ibm.com/support/pages/node/6258333> \"Security Bulletin: WebSphere Application Server is vulnerable to a remote code execution vulnerability \\(CVE-2020-4589\\)\" )\n\n[Security Bulletin: WebSphere Application Server is vulnerable to a remote code execution vulnerability (CVE-2020-4464)](<https://www.ibm.com/support/pages/node/6250059> \"Security Bulletin: WebSphere Application Server is vulnerable to a remote code execution vulnerability \\(CVE-2020-4464\\)\" )\n\n[Security Bulletin: WebSphere Application Server is vulnerable to a remote code execution vulnerability (CVE-2020-4534)](<https://www.ibm.com/support/pages/node/6255074> \"Security Bulletin: WebSphere Application Server is vulnerable to a remote code execution vulnerability \\(CVE-2020-4534\\)\" )\n\n[Security Bulletin: Vulnerability in Apache Batik affects WebSphere Application Server (CVE-2019-17566)](<https://www.ibm.com/support/pages/node/6322683> \"Security Bulletin: Vulnerability in Apache Batik affects WebSphere Application Server \\(CVE-2019-17566\\)\" )\n\n[Security Bulletin: WebSphere Application Server Admin Console is vulnerable to cross-site scripting (CVE-2020-4578)](<https://www.ibm.com/support/pages/node/6328895> \"Security Bulletin: WebSphere Application Server Admin Console is vulnerable to cross-site scripting \\(CVE-2020-4578\\)\" )\n\n[Security Bulletin: WebSphere Application Server is vulnerable to a remote code execution vulnerability (CVE-2020-4450)](<https://www.ibm.com/support/pages/security-bulletin-websphere-application-server-vulnerable-remote-code-execution-vulnerability-cve-2020-4450> \"Security Bulletin: WebSphere Application Server is vulnerable to a remote code execution vulnerability \\(CVE-2020-4450\\)\" )\n\n[Security Bulletin: WebSphere Application Server is vulnerable to an information disclosure vulnerability (CVE-2020-4576)](<https://www.ibm.com/support/pages/security-bulletin-websphere-application-server-vulnerable-information-disclosure-vulnerability-cve-2020-4576-0> \"Security Bulletin: WebSphere Application Server is vulnerable to an information disclosure vulnerability \\(CVE-2020-4576\\)\" )\n\n[Security Bulletin: WebSphere Application Server is vulnerable to an information exposure vulnerability (CVE-2020-4643)](<https://www.ibm.com/support/pages/security-bulletin-websphere-application-server-vulnerable-information-exposure-vulnerability-cve-2020-4643> \"Security Bulletin: WebSphere Application Server is vulnerable to an information exposure vulnerability \\(CVE-2020-4643\\)\" )\n\n[Security Bulletin: WebSphere Application Server is vulnerable to an information disclosure vulnerability (CVE-2020-4629)](<https://www.ibm.com/support/pages/security-bulletin-websphere-application-server-vulnerable-information-disclosure-vulnerability-cve-2020-4629> \"Security Bulletin: WebSphere Application Server is vulnerable to an information disclosure vulnerability \\(CVE-2020-4629\\)\" )\n\n[Security Bulletin: Privilege Escalation Vulnerability in WebSphere Application Server (CVE-2020-4362)](<https://www.ibm.com/support/pages/security-bulletin-privilege-escalation-vulnerability-websphere-application-server-cve-2020-4362> \"Security Bulletin: Privilege Escalation Vulnerability in WebSphere Application Server \\(CVE-2020-4362\\)\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-10-07T21:32:45", "type": "ibm", "title": "Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server shipped with Tivoli Access Manager for e-business", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17566", "CVE-2020-4362", "CVE-2020-4448", "CVE-2020-4450", "CVE-2020-4464", "CVE-2020-4534", "CVE-2020-4575", "CVE-2020-4576", "CVE-2020-4578", "CVE-2020-4589", "CVE-2020-4629", "CVE-2020-4643"], "modified": "2020-10-07T21:32:45", "id": "476B017015C7BC4F8F39C2B41A3D687C1FD9E58B44A524C0A4CF05B7ED875145", "href": "https://www.ibm.com/support/pages/node/6344091", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-27T21:51:12", "description": "## Summary\n\nThere are multiple security vulnerabilities that affect the IBM WebSphere Application Server in the IBM Cloud. WebSphere Application Server traditional is vulnerable to a remote code execution vulnerability. WebSphere Application Server is vulnerable to a remote code execution vulnerability. There are multiple vulnerabilities in the IBM\u00ae SDK, Java\u2122 Technology Edition that is shipped with IBM WebSphere Application Server. WebSphere Application Server is vulnerable to a remote code execution vulnerability. There is a server-side request forgery vulnerability in the Apache Batik library which is used by WebSphere Application Server. \n\n## Vulnerability Details\n\n** CVEID: **[CVE-2020-4534](<https://vulners.com/cve/CVE-2020-4534>) \n** DESCRIPTION: **IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a local authenticated attacker to gain elevated privileges on the system, caused by improper handling of UNC paths. By scheduling a task with a specially-crafted UNC path, an attacker could exploit this vulnerability to execute arbitrary code with higher privileges. IBM X-Force ID: 182808. \nCVSS Base score: 7.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/182808](<https://exchange.xforce.ibmcloud.com/vulnerabilities/182808>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-4464](<https://vulners.com/cve/CVE-2020-4464>) \n** DESCRIPTION: **IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 traditional could allow a remote attacker to execute arbitrary code on a system with a specially-crafted sequence of serialized objects over the SOAP connector. IBM X-Force ID: 181489. \nCVSS Base score: 8.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181489](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181489>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2019-17566](<https://vulners.com/cve/CVE-2019-17566>) \n** DESCRIPTION: **Apache Batik is vulnerable to server-side request forgery, caused by improper input validation by the \"xlink:href\" attributes. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/183402](<https://exchange.xforce.ibmcloud.com/vulnerabilities/183402>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) \n \n** CVEID: **[CVE-2020-4589](<https://vulners.com/cve/CVE-2020-4589>) \n** DESCRIPTION: **IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to execute arbitrary code on the system with a specially-crafted sequence of serialized objects from untrusted sources. IBM X-Force ID: 184585. \nCVSS Base score: 8.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/184585](<https://exchange.xforce.ibmcloud.com/vulnerabilities/184585>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-2601](<https://vulners.com/cve/CVE-2020-2601>) \n** DESCRIPTION: **An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Security component could allow an unauthenticated attacker to obtain sensitive information resulting in a high confidentiality impact using unknown attack vectors. \nCVSS Base score: 6.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/174548](<https://exchange.xforce.ibmcloud.com/vulnerabilities/174548>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2020-14583](<https://vulners.com/cve/CVE-2020-14583>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base score: 8.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/185061](<https://exchange.xforce.ibmcloud.com/vulnerabilities/185061>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-14593](<https://vulners.com/cve/CVE-2020-14593>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the 2D component could allow an unauthenticated attacker to cause no confidentiality impact, high integrity impact, and no availability impact. \nCVSS Base score: 7.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/185071](<https://exchange.xforce.ibmcloud.com/vulnerabilities/185071>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N) \n \n** CVEID: **[CVE-2020-14621](<https://vulners.com/cve/CVE-2020-14621>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the JAXP component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/185099](<https://exchange.xforce.ibmcloud.com/vulnerabilities/185099>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2020-14556](<https://vulners.com/cve/CVE-2020-14556>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base score: 4.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/185034](<https://exchange.xforce.ibmcloud.com/vulnerabilities/185034>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2020-14579](<https://vulners.com/cve/CVE-2020-14579>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/185057](<https://exchange.xforce.ibmcloud.com/vulnerabilities/185057>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2020-14578](<https://vulners.com/cve/CVE-2020-14578>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/185056](<https://exchange.xforce.ibmcloud.com/vulnerabilities/185056>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2020-14577](<https://vulners.com/cve/CVE-2020-14577>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the JSSE component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/185055](<https://exchange.xforce.ibmcloud.com/vulnerabilities/185055>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2020-2590](<https://vulners.com/cve/CVE-2020-2590>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Java SE Security component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/174538](<https://exchange.xforce.ibmcloud.com/vulnerabilities/174538>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n## Affected Products and Versions\n\nThese vulnerabilities affect the following versions and releases of IBM WebSphere Application Server in IBM Cloud:\n\n * Version 9.0\n * Version 8.5\n \n\n\n## Remediation/Fixes\n\nTo patch an existing service instance, refer to the IBM WebSphere Application Server bulletins listed below: \n\n * [WebSphere Application Server is vulnerable to a remote code execution vulnerability (CVE-2020-4534)](<https://www.ibm.com/support/pages/node/6255074> \"WebSphere Application Server is vulnerable to a remote code execution vulnerability \\(CVE-2020-4534\\)\" )\n * [WebSphere Application Server is vulnerable to a remote code execution vulnerability (CVE-2020-4464)](<https://www.ibm.com/support/pages/node/6250059> \"WebSphere Application Server is vulnerable to a remote code execution vulnerability \\(CVE-2020-4464\\)\" )\n * [Multiple Vulnerabilities in IBM\u00ae Java SDK affect WebSphere Application Server July 2020 CPU plus deferred CVE-2020-2590 and CVE-2020-2601](<https://www.ibm.com/support/pages/node/6256732> \"Multiple Vulnerabilities in IBM\u00ae Java SDK affect WebSphere Application Server July 2020 CPU plus deferred CVE-2020-2590 and CVE-2020-2601\" )\n * [WebSphere Application Server is vulnerable to a remote code execution vulnerability (CVE-2020-4589)](<https://www.ibm.com/support/pages/node/6258333> \"WebSphere Application Server is vulnerable to a remote code execution vulnerability \\(CVE-2020-4589\\)\" )\n * [Vulnerability in Apache Batik affects WebSphere Application Server (CVE-2019-17566)](<https://www.ibm.com/support/pages/node/6322683> \"Vulnerability in Apache Batik affects WebSphere Application Server \\(CVE-2019-17566\\)\" )\n\nPlease see [ Updating your environment](<https://cloud.ibm.com/docs/services/ApplicationServeronCloud?topic=wasaas-updating-your-environment>) in the KnowlegeCenter for information on applying service. \n\nAlternatively, delete the vulnerable service instance and create a new instance.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-09-08T19:56:38", "type": "ibm", "title": "Security Bulletin: Multiple Security Vulnerabilities Affect IBM WebSphere Application Server in IBM Cloud", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17566", "CVE-2020-14556", "CVE-2020-14577", "CVE-2020-14578", "CVE-2020-14579", "CVE-2020-14583", "CVE-2020-14593", "CVE-2020-14621", "CVE-2020-2590", "CVE-2020-2601", "CVE-2020-4464", "CVE-2020-4534", "CVE-2020-4589"], "modified": "2020-09-08T19:56:38", "id": "DC8B783B9EAA31C03B1E404FC721223E232D2BB78FAD1F0FF5BCC2915BC8629E", "href": "https://www.ibm.com/support/pages/node/6327411", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-27T21:45:55", "description": "## Summary\n\nThere are multiple vulnerabilities that affect IBM WebSphere Application Server shipped with IBM StoredIQ for Legal. These have been addressed in Fix Pack 2.0.3.13 of StoredIQ for Legal.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2020-4163](<https://vulners.com/cve/CVE-2020-4163>) \n** DESCRIPTION: **IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0, under specialized conditions, could allow an authenticated user to create a maliciously crafted file name which would be misinterpreted as jsp content and executed. IBM X-Force ID: 174397. \nCVSS Base score: 6.6 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/174397](<https://exchange.xforce.ibmcloud.com/vulnerabilities/174397>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-4329](<https://vulners.com/cve/CVE-2020-4329>) \n** DESCRIPTION: **IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0 and Liberty 17.0.0.3 through 20.0.0.4 could allow a remote, authenticated attacker to obtain sensitive information, caused by improper parameter checking. This could be exploited to conduct spoofing attacks. IBM X-Force ID: 177841. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/177841](<https://exchange.xforce.ibmcloud.com/vulnerabilities/177841>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2020-4782](<https://vulners.com/cve/CVE-2020-4782>) \n** DESCRIPTION: **IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing \"dot dot\" sequences (/../) to view arbitrary files on the system. \nCVSS Base score: 6.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/189213](<https://exchange.xforce.ibmcloud.com/vulnerabilities/189213>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2020-4534](<https://vulners.com/cve/CVE-2020-4534>) \n** DESCRIPTION: **IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a local authenticated attacker to gain elevated privileges on the system, caused by improper handling of UNC paths. By scheduling a task with a specially-crafted UNC path, an attacker could exploit this vulnerability to execute arbitrary code with higher privileges. IBM X-Force ID: 182808. \nCVSS Base score: 7.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/182808](<https://exchange.xforce.ibmcloud.com/vulnerabilities/182808>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-4450](<https://vulners.com/cve/CVE-2020-4450>) \n** DESCRIPTION: **IBM WebSphere Application Server 8.5 and 9.0 traditional could allow a remote attacker to execute arbitrary code on the system with a specially-crafted sequence of serialized objects. IBM X-Force ID: 181231. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181231](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181231>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-4362](<https://vulners.com/cve/CVE-2020-4362>) \n** DESCRIPTION: **IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 traditional is vulnerable to a privilege escalation vulnerability when using token-based authentication in an admin request over the SOAP connector. IBM X-Force ID: 178929. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/178929](<https://exchange.xforce.ibmcloud.com/vulnerabilities/178929>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-4589](<https://vulners.com/cve/CVE-2020-4589>) \n** DESCRIPTION: **IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to execute arbitrary code on the system with a specially-crafted sequence of serialized objects from untrusted sources. IBM X-Force ID: 184585. \nCVSS Base score: 8.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/184585](<https://exchange.xforce.ibmcloud.com/vulnerabilities/184585>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-4276](<https://vulners.com/cve/CVE-2020-4276>) \n** DESCRIPTION: **IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 traditional is vulnerable to a privilege escalation vulnerability when using token-based authentication in an admin request over the SOAP connector. X-Force ID: 175984. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/175984](<https://exchange.xforce.ibmcloud.com/vulnerabilities/175984>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2019-4720](<https://vulners.com/cve/CVE-2019-4720>) \n** DESCRIPTION: **IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to a denial of service, caused by sending a specially-crafted request. A remote attacker could exploit this vulnerability to cause the server to consume all available memory. IBM X-Force ID: 172125. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/172125](<https://exchange.xforce.ibmcloud.com/vulnerabilities/172125>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2019-10086](<https://vulners.com/cve/CVE-2019-10086>) \n** DESCRIPTION: **Apache Commons Beanutils could allow a remote attacker to gain unauthorized access to the system, caused by the failure to suppresses the class property in bean introspection by default. An attacker could exploit this vulnerability to gain unauthorized access to the classloader. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/166353](<https://exchange.xforce.ibmcloud.com/vulnerabilities/166353>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2020-4449](<https://vulners.com/cve/CVE-2020-4449>) \n** DESCRIPTION: **IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 traditional could allow a remote attacker to obtain sensitive information with a specially-crafted sequence of serialized objects. IBM X-Force ID: 181230. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181230](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181230>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2020-4365](<https://vulners.com/cve/CVE-2020-4365>) \n** DESCRIPTION: **IBM WebSphere Application Server 8.5 is vulnerable to server-side request forgery. By sending a specially crafted request, a remote authenticated attacker could exploit this vulnerability to obtain sensitive data. IBM X-Force ID: 178964. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/178964](<https://exchange.xforce.ibmcloud.com/vulnerabilities/178964>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2019-17566](<https://vulners.com/cve/CVE-2019-17566>) \n** DESCRIPTION: **Apache Batik is vulnerable to server-side request forgery, caused by improper input validation by the \"xlink:href\" attributes. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/183402](<https://exchange.xforce.ibmcloud.com/vulnerabilities/183402>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) \n \n** CVEID: **[CVE-2020-4643](<https://vulners.com/cve/CVE-2020-4643>) \n** DESCRIPTION: **IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information. IBM X-Force ID: 185590. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/185590](<https://exchange.xforce.ibmcloud.com/vulnerabilities/185590>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2019-4670](<https://vulners.com/cve/CVE-2019-4670>) \n** DESCRIPTION: **IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to obtain sensitive information caused by improper data representation. IBM X-Force ID: 171319. \nCVSS Base score: 6.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/171319](<https://exchange.xforce.ibmcloud.com/vulnerabilities/171319>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nStoredIQ for Legal| 2.0.3 \n \n\n\n## Remediation/Fixes\n\nApply fix pack 2.0.3.13 that is available from Fix Central <https://www.ibm.com/support/fixcentral/>\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-04T09:24:28", "type": "ibm", "title": "Security Bulletin: Multiple Vulnerabilities have been identified in IBM WebSphere Application Server shipped with IBM StoredIQ for Legal", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086", "CVE-2019-17566", "CVE-2019-4670", "CVE-2019-4720", "CVE-2020-4163", "CVE-2020-4276", "CVE-2020-4329", "CVE-2020-4362", "CVE-2020-4365", "CVE-2020-4449", "CVE-2020-4450", "CVE-2020-4534", "CVE-2020-4589", "CVE-2020-4643", "CVE-2020-4782"], "modified": "2021-03-04T09:24:28", "id": "126E1024546918D07264839DD88F2FF75D58789A0F611D0689966886112B533B", "href": "https://www.ibm.com/support/pages/node/6422665", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-27T21:50:08", "description": "## Summary\n\nThe product includes vulnerable components (e.g., framework libraries) that may be identified and exploited with automated tools.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2020-13934](<https://vulners.com/cve/CVE-2020-13934>) \n** DESCRIPTION: **Apache Tomcat is vulnerable to a denial of service, caused by not releasing the HTTP/1.1 processor after the upgrade to HTTP/2 in an h2c direct connection. By sending specially-crafted requests, a remote attacker could exploit this vulnerability to cause OutOfMemoryException resulting in a denial of service. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/185239](<https://exchange.xforce.ibmcloud.com/vulnerabilities/185239>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2019-17566](<https://vulners.com/cve/CVE-2019-17566>) \n** DESCRIPTION: **Apache Batik is vulnerable to server-side request forgery, caused by improper input validation by the \"xlink:href\" attributes. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/183402](<https://exchange.xforce.ibmcloud.com/vulnerabilities/183402>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) \n \n** CVEID: **[CVE-2019-4378](<https://vulners.com/cve/CVE-2019-4378>) \n** DESCRIPTION: **IBM MQ 7.5.0.0 - 7.5.0.9, 7.1.0.0 - 7.1.0.9, 8.0.0.0 - 8.0.0.12, 9.0.0.0 - 9.0.0.6, 9.1.0.0 - 9.1.0.2, and 9.1.0 - 9.1.2 command server is vulnerable to a denial of service attack caused by an authenticated and authorized user using specially crafted PCF messages. IBM X-Force ID: 162084. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/162084](<https://exchange.xforce.ibmcloud.com/vulnerabilities/162084>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2020-1945](<https://vulners.com/cve/CVE-2020-1945>) \n** DESCRIPTION: **Apache Ant could allow a remote attacker to bypass security restrictions, caused by the use of an insecure temporary directory to store source files. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information and inject modified source files into the build process. \nCVSS Base score: 6.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181875](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181875>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2020-0543](<https://vulners.com/cve/CVE-2020-0543>) \n** DESCRIPTION: **Xen and multiple Intel processors could allow a local authenticated attacker to obtain sensitive information, caused by an incomplete cleanup from specific special register read operations in some Intel\u00ae Processors. An attacker could exploit this vulnerability to obtain sensitive information. \nCVSS Base score: 6.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/183116](<https://exchange.xforce.ibmcloud.com/vulnerabilities/183116>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2020-0548](<https://vulners.com/cve/CVE-2020-0548>) \n** DESCRIPTION: **Multiple Intel Processors could allow a local authenticated attacker to obtain sensitive information, caused by cleanup errors. An attacker could exploit this vulnerability to obtain sensitive information. \nCVSS Base score: 2.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/175117](<https://exchange.xforce.ibmcloud.com/vulnerabilities/175117>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2020-0549](<https://vulners.com/cve/CVE-2020-0549>) \n** DESCRIPTION: **Multiple Intel Processors could allow a local authenticated attacker to obtain sensitive information, caused by cleanup errors in some data cache evictions. An attacker could exploit this vulnerability to obtain sensitive information. \nCVSS Base score: 6.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/175118](<https://exchange.xforce.ibmcloud.com/vulnerabilities/175118>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2010-4710](<https://vulners.com/cve/CVE-2010-4710>) \n** DESCRIPTION: **YUI Library is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the addItem method in the Menu widget. A remote attacker could exploit this vulnerability using a field that is added to a menu to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/65180](<https://exchange.xforce.ibmcloud.com/vulnerabilities/65180>) for the current score. \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n \n** CVEID: **[CVE-2020-5408](<https://vulners.com/cve/CVE-2020-5408>) \n** DESCRIPTION: **VMware Tanzu Spring Security could allow a remote attacker to obtain sensitive information, caused by the use of a fixed null initialization vector with CBC Mode. By using dictionary attack techniques, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system. \nCVSS Base score: 5.9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181969](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181969>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2019-13990](<https://vulners.com/cve/CVE-2019-13990>) \n** DESCRIPTION: **Terracotta could allow a remote attacker to obtain sensitive information, caused by improper handling of XML external entity (XXE) declarations by the initDocumentParser function in xml/XMLSchedulingDataProcessor.java. By persuading a victim to open specially-crafted XML content, a remote attacker could exploit this vulnerability to read arbitrary files. \nCVSS Base score: 5.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/165431](<https://exchange.xforce.ibmcloud.com/vulnerabilities/165431>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2020-13935](<https://vulners.com/cve/CVE-2020-13935>) \n** DESCRIPTION: **Apache Tomcat is vulnerable to a denial of service, caused by improper validation of the payload length in a WebSocket frame. By sending multiple requests with invalid payload lengths, a remote attacker could exploit this vulnerability to cause the application to enter into an infinite loop. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/185227](<https://exchange.xforce.ibmcloud.com/vulnerabilities/185227>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2019-10241](<https://vulners.com/cve/CVE-2019-10241>) \n** DESCRIPTION: **Eclipse Jetty is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the DefaultServlet and ResourceHandler. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/160676](<https://exchange.xforce.ibmcloud.com/vulnerabilities/160676>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2019-10247](<https://vulners.com/cve/CVE-2019-10247>) \n** DESCRIPTION: **Eclipse Jetty could allow a remote attacker to obtain sensitive information, caused by a flaw in the DefaultHandler. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to obtain sensitive information. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/160610](<https://exchange.xforce.ibmcloud.com/vulnerabilities/160610>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2020-11023](<https://vulners.com/cve/CVE-2020-11023>) \n** DESCRIPTION: **jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the option elements. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181350](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181350>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2020-11022](<https://vulners.com/cve/CVE-2020-11022>) \n** DESCRIPTION: **jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the jQuery.htmlPrefilter method. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181349](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181349>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2018-15494](<https://vulners.com/cve/CVE-2018-15494>) \n** DESCRIPTION: **Dojo Toolkit is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the DataGrid component. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/148556](<https://exchange.xforce.ibmcloud.com/vulnerabilities/148556>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2020-5398](<https://vulners.com/cve/CVE-2020-5398>) \n** DESCRIPTION: **Spring Framework could allow a remote attacker to obtain sensitive information, caused by a flaw when it sets a Content-Disposition header in the response. By using a reflected file download (RFD) attack, a remote attacker could exploit this vulnerability to obtain sensitive information. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/174711](<https://exchange.xforce.ibmcloud.com/vulnerabilities/174711>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** Third Party Entry: **180875 \n** DESCRIPTION: **jQuery cross-site scripting \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [https://exchange.xforce.ibmcloud.com/vulnerabilities/180875 ](<https://exchange.xforce.ibmcloud.com/vulnerabilities/180875>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** Third Party Entry: **180875 \n** DESCRIPTION: **jQuery cross-site scripting \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [https://exchange.xforce.ibmcloud.com/vulnerabilities/180875 ](<https://exchange.xforce.ibmcloud.com/vulnerabilities/180875>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** Third Party Entry: **180875 \n** DESCRIPTION: **jQuery cross-site scripting \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [https://exchange.xforce.ibmcloud.com/vulnerabilities/180875 ](<https://exchange.xforce.ibmcloud.com/vulnerabilities/180875>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** Third Party Entry: **180875 \n** DESCRIPTION: **jQuery cross-site scripting \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [https://exchange.xforce.ibmcloud.com/vulnerabilities/180875 ](<https://exchange.xforce.ibmcloud.com/vulnerabilities/180875>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)\n\n## Affected Products and Versions\n\nIBM QRadar SIEM 7.4.0 - 7.4.1 GA\n\nIBM QRadar SIEM 7.3.0 - 7.3.3 Patch 4\n\n## Remediation/Fixes\n\n[QRadar / QRM / QVM / QRIF / QNI 7.4.1 Patch 1](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=7.4.0&platform=Linux&function=fixId&fixids=7.4.1-QRADAR-QRSIEM-20200915010309&includeRequisites=1&includeSupersedes=0&downloadMethod=http&login=true> \"QRadar / QRM / QVM / QRIF / QNI 7.4.1 Patch 1\" )\n\n[QRadar / QRM / QVM / QRIF / QNI 7.3.3 Patch 5](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+Vulnerability+Manager&release=All&platform=All&function=fixId&fixids=7.3.3-QRADAR-QRSIEM-20200929154613&includeRequisites=1&includeSupersedes=0&downloadMethod=http&login=true> \"QRadar / QRM / QVM / QRIF / QNI 7.3.3 Patch 5\" )\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-10-07T22:53:38", "type": "ibm", "title": "Security Bulletin: IBM QRadar SIEM is vulnerable to Using Components with Known Vulnerabilities", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.6, "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-4710", "CVE-2018-15494", "CVE-2019-10241", "CVE-2019-10247", "CVE-2019-13990", "CVE-2019-17566", "CVE-2019-4378", "CVE-2020-0543", "CVE-2020-0548", "CVE-2020-0549", "CVE-2020-11022", "CVE-2020-11023", "CVE-2020-13934", "CVE-2020-13935", "CVE-2020-1945", "CVE-2020-5398", "CVE-2020-5408"], "modified": "2020-10-07T22:53:38", "id": "570AF6CDC4F7E864E6852EBD03923041C13A884B424AC254820AD0EEB73694DF", "href": "https://www.ibm.com/support/pages/node/6344075", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-07-27T22:03:06", "description": "## Question\n\nIs there a list that contains the security bulletins that apply to WebSphere Application Server and IBM HTTP Server?\n\n## Answer\n\nThe following table is provided to help you locate WebSphere Application Server and IBM HTTP Server security bulletins. These are listed numerically by CVE number not by the last one published.\n\nNote the IBM Java runtime included with WebSphere Application Server provides an execution environment for non-IBM code. While the below table includes all IBM Java vulnerabilities related to the WebSphere Application Server product, there might be additional IBM Java vulnerabilities which impact non-IBM code running in your WebSphere Application Server environment. For a listing of all IBM Java security bulletins, refer to [_IBM Java Security Alerts_](<https://www.ibm.com/developerworks/java/jdk/alerts/>). To determine the Java SDK version used with WebSphere Application Server, refer to the [_Verify Java SDK version shipped with WebSphere Application Server_](<http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg27005002>).\n\nTo avoid preventable security issues, it is recommended that you stay up-to-date on the most current maintenance options for your products. You can also subscribe to the security bulletins for each of your products as provided in this link, [_IBM Security Bulletins_](<http://www.ibm.com/security/secure-engineering/bulletins.html>).\n\nWhen significant updates have been made to security bulletins, it will be noted with the date of the last update in the bulletin columns.\n\nNote: Starting 07/16/2020, the most recent fix published will be added to the top of this list below as well as in numerical order by year.\n\n**Recent CVEs (previous 15 published from most recent to least recent)**\n\n**Name **\n\n| \n\n**CVE**\n\n| \n\n**CVSS Score**\n\n| \n\n**WebSphere Application Server Bulletin or Assessment**\n\n| \n\n**IBM HTTP Server Bulletin or Assessment**\n\n| \n\n**Versions Affected** \n \n---|---|---|---|---|--- \n| CVE-2022-22477 | 6.1 | [Cross-site Scripting](<https://www.ibm.com/support/pages/node/6603417>) | Not affected | 9.0,8.5 \n| CVE-2022-22473 | 3.7 | [Information Disclosure](<https://www.ibm.com/support/pages/node/6603421>) | Not affected | 9.0,8.5,8.0,7.0 \n| CVE-2019-11777 | 7.5 | [Spoofing vulnerability](<https://www.ibm.com/support/pages/node/6602039>) | Not affected | Liberty \n| CVE-2022-22476 | 5.0 | [Identity Spoofing](<https://www.ibm.com/support/pages/node/6602015>) | Not affected | Liberty \n| CVE-2022-26377 | 7.3 | Not affected | [HTTP Request Smuggling](<https://www.ibm.com/support/pages/node/6595149>) | 7.0,8.0,8.5,9.0 \n| CVE-2022-28614 | 5.3 | Not affected | [Information Disclosure](<https://www.ibm.com/support/pages/node/6595149>) | 7.0,8.0,8.5,9.0 \n| CVE-2022-28615 | 6.5 | Not affected | [Information Disclosure](<https://www.ibm.com/support/pages/node/6595149>) | 7.0,8.0,8.5,9.0 \n| CVE-2022-29404 | 5.3 | Not affected | [Denial of Service](<https://www.ibm.com/support/pages/node/6595149>) | 7.0,8.0,8.5,9.0 \n| CVE-2022-30556 | 5.3 | Not affected | [Information Disclosure](<https://www.ibm.com/support/pages/node/6595149>) | 7.0,8.0,8.5,9.0 \n| CVE-2022-31813 | 5.3 | Not affected | [Bypass Security](<https://www.ibm.com/support/pages/node/6595149>) | 7.0,8.0,8.5,9.0 \n| CVE-2022-21496 | 5.3 | [IBM Java SDK for April 2022](<https://www.ibm.com/support/pages/node/6594523>) | Not affected | 9.0,8.5,Liberty \n| CVE-2022-21299 | 5.3 | [IBM Java SDK for April 2022](<https://www.ibm.com/support/pages/node/6594523>) | Not affected | 9.0,8.5,Liberty \n| CVE-2022-22365 | 5.6 | [Spoofing vulnerability](<https://www.ibm.com/support/pages/node/6587947>) | Not affected | 9.0,8.5,8.0,7.0 \n| CVE-2022-22475 | 7.1 | [Identity Spoofing](<https://www.ibm.com/support/pages/node/6586734>) | Not affected | Liberty \n \n**2022 CVEs**\n\n**Name **\n\n| \n\n**CVE**\n\n| \n\n**CVSS Score**\n\n| \n\n**WebSphere Application Server Bulletin or Assessment**\n\n| \n\n**IBM HTTP Server Bulletin or Assessment**\n\n| \n\n**Versions Affected** \n \n---|---|---|---|---|--- \n| CVE-2022-31813 | 5.3 | Not affected | [Bypass Security](<https://www.ibm.com/support/pages/node/6595149>) | 7.0,8.0,8.5,9.0 \n| CVE-2022-30556 | 5.3 | Not affected | [Information Disclosure](<https://www.ibm.com/support/pages/node/6595149>) | 7.0,8.0,8.5,9.0 \n| CVE-2022-29404 | 5.3 | Not affected | [Denial of Service](<https://www.ibm.com/support/pages/node/6595149>) | 7.0,8.0,8.5,9.0 \n| CVE-2022-28615 | 6.5 | Not affected | [Information Disclosure](<https://www.ibm.com/support/pages/node/6595149>) | 7.0,8.0,8.5,9.0 \n| CVE-2022-28614 | 5.3 | Not affected | [Information Disclosure](<https://www.ibm.com/support/pages/node/6595149>) | 7.0,8.0,8.5,9.0 \n| CVE-2022-26377 | 7.3 | Not affected | [HTTP Request Smuggling](<https://www.ibm.com/support/pages/node/6595149>) | 7.0,8.0,8.5,9.0 \n| CVE-2022-25315 | 7.8 | Not affected | [Remote Code Execution](<https://www.ibm.com/support/pages/node/6560814>) | 9.0,8.5,8.0,7.0 \n| CVE-2022-25313 | 5.5 | Not affected | [Denial of Service](<https://www.ibm.com/support/pages/node/6560814>) | 9.0,8.5,8.0,7.0 \n| CVE-2022-25236 | 5.3 | Not affected | [Denial of Service](<https://www.ibm.com/support/pages/node/6560814>) | 9.0,8.5,8.0,7.0 \n| CVE-2022-25235 | 3.3 | Not affected | [Denial of Service](<https://www.ibm.com/support/pages/node/6560814>) | 9.0,8.5,8.0,7.0 \n| CVE-2022-23990 | 9.8 | Not affected | [Remote Code Execution](<https://www.ibm.com/support/pages/node/6559296>) | 9.0,8.5,8.0,7.0 \n| CVE-2022-23852 | 9.8 | Not affected | [Remote Code Execution](<https://www.ibm.com/support/pages/node/6559296>) | 9.0,8.5,8.0,7.0 \n| CVE-2022-23307 | 9.8 | [Remote Code Execution](<https://www.ibm.com/support/pages/node/6557248>) | Not affected | 9.0,8.5,8.0,7.0,Liberty \n| CVE-2022-23305 | 6.5 | [SQL Injection](<https://www.ibm.com/support/pages/node/6557248>) | Not affected | 9.0,8.5,8.0,7.0,Liberty \n| CVE-2022-23302 | 8.8 | [Remote Code Execution](<https://www.ibm.com/support/pages/node/6557248>) | Not affected | 9.0,8.5,8.0,7.0,Liberty \n| CVE-2022-22827 | 7.8 | Not affected | [Remote Code Execution](<https://www.ibm.com/support/pages/node/6559296>) | 9.0,8.5,8.0,7.0 \n| CVE-2022-22826 | 7.8 | Not affected | [Remote Code Execution](<https://www.ibm.com/support/pages/node/6559296>) | 9.0,8.5,8.0,7.0 \n| CVE-2022-22825 | 7.8 | Not affected | [Remote Code Execution](<https://www.ibm.com/support/pages/node/6559296>) | 9.0,8.5,8.0,7.0 \n| CVE-2022-22824 | 7.8 | Not affected | [Remote Code Execution](<https://www.ibm.com/support/pages/node/6559296>) | 9.0,8.5,8.0,7.0 \n| CVE-2022-22823 | 7.8 | Not affected | [Remote Code Execution](<https://www.ibm.com/support/pages/node/6559296>) | 9.0,8.5,8.0,7.0 \n| CVE-2022-22822 | 7.8 | Not affected | [Remote Code Execution](<https://www.ibm.com/support/pages/node/6559296>) | 9.0,8.5,8.0,7.0 \n| CVE-2022-22721 | 7.3 | Not affected | [Buffer Overflow](<https://www.ibm.com/support/pages/node/6565413>) | 9.0,8.5,8.0,7.0 \n| CVE-2022-22720 | 7.3 | Not affected | [HTTP Request Smuggling](<https://www.ibm.com/support/pages/node/6565413>) | 9.0,8.5,8.0,7.0 \n| CVE-2022-22719 | 5.3 | Not affected | [Denial of Service](<https://www.ibm.com/support/pages/node/6565413>) | 9.0,8.5,8.0,7.0 \n| CVE-2022-22477 | 6.1 | [Cross-site Scripting](<https://www.ibm.com/support/pages/node/6603417>) | Not affected | 9.0,8.5 \n| CVE-2022-22476 | 5.0 | [Identity Spoofing](<https://www.ibm.com/support/pages/node/6602015>) | Not affected | Liberty \n| CVE-2022-22475 | 7.1 | [Identity Spoofing](<https://www.ibm.com/support/pages/node/6586734>) | Not affected | Liberty \n| CVE-2022-22473 | 3.7 | [Information Disclosure](<https://www.ibm.com/support/pages/node/6603421>) | Not affected | 9.0,8.5,8.0,7.0 \n| CVE-2022-22393 | 3.1 | [Information Disclosure](<https://www.ibm.com/support/pages/node/6585704>) | Not affected | Liberty \n| CVE-2022-22365 | 5.6 | [Spoofing vulnerability](<https://www.ibm.com/support/pages/node/6587947>) | Not affected | 9.0,8.5,8.0,7.0 \n| CVE-2022-22310 | 4.8 | [Information Disclosure](<https://www.ibm.com/support/pages/node/6541530>) | Not affected | Liberty \n| CVE-2022-21496 | 5.3 | [IBM Java SDK for April 2022 CPU](<https://www.ibm.com/support/pages/node/6594523>) | | 9.0,8.5,Liberty \n| CVE-2022-21340 | 5.3 | [IBM Java SDK for January 2022 CPU](<https://www.ibm.com/support/pages/node/6559306>) | Not affected | 9.0,8.5,Liberty \n| CVE-2022-21229 | 5.3 | [IBM Java SDK for April 2022 CPU](<https://www.ibm.com/support/pages/node/6594523>) | | 9.0,8.5,Liberty \n \n**2021 CVEs**\n\n**Name **\n\n| \n\n**CVE**\n\n| \n\n**CVSS Score**\n\n| \n\n**WebSphere Application Server Bulletin or Assessment**\n\n| \n\n**IBM HTTP Server Bulletin or Assessment**\n\n| \n\n**Versions Affected** \n \n---|---|---|---|---|--- \n| CVE-2021-46708 | 4.3 | [Clickjacking vulnerability](<https://www.ibm.com/support/pages/node/6569505>) | Not affected | Liberty \n| CVE-2021-46143 | 7.8 | Not affected | [Remote Code Execution](<https://Denial of Service>) | 7.0,8.0,8.5,9.0 \n| CVE-2021-45960 | 5.5 | Not affected | [Denial of Service](<https://www.ibm.com/support/pages/node/6559296>) | 7.0,8.0,8.5,9.0 \n| CVE-2021-45105 | 7.5 | [Denial of Service](<https://www.ibm.com/support/pages/node/6538148>) | Not affected | 9.0, 8.5 \n| CVE-2021-45046 | 9.0 | [Denial of Service](<https://www.ibm.com/support/pages/node/6526750>) | Not affected | 9.0,8.5,8.0,7.0,Liberty \n| CVE-2021-44832 | 6.6 | [Remote Code Execution](<https://www.ibm.com/support/pages/node/6538148>) | Not affected | 9.0, 8.5 \n| CVE-2021-44790 | 9.8 | Not affected | [Buffer overflow](<https://www.ibm.com/support/pages/node/6540288>) | 9.0 \nLog4Shell | CVE-2021-44228 | 10 | [Remote Code Execution](<https://www.ibm.com/support/pages/node/6525706>) | Not affected | 9.0, 8.5 \n| CVE-2021-44224 | 8.2 | Not affected | [Denial of Service](<https://www.ibm.com/support/pages/node/6540288>) | 9.0 \n| CVE-2021-40438 | 9.0 | Not affected | [Server-side request forgery](<https://www.ibm.com/support/pages/node/6493841>) | 9.0 \n| CVE-2021-39275 | 3.7 | Not affected | [Buffer overflow](<https://www.ibm.com/support/pages/node/6493845>) | 9.0, 8.5, 8.0, 7.0 \n| CVE-2021-39038 | 4.4 | [Clickjacking vulnerability](<https://www.ibm.com/support/pages/node/6559044>) | Not affected | 9.0, Liberty \n| CVE-2021-39031 | 7.5 | [LDAP Injection](<https://www.ibm.com/support/pages/node/6550488>) | Not affected | Liberty \n| CVE-2021-38951 | 7.5 | [Denial of Service](<https://www.ibm.com/support/pages/node/6524674>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2021-36090 | 7.5 | [Denial of Service](<https://www.ibm.com/support/pages/node/6489683>) | Not affected | Liberty \n| CVE-2021-35603 | 3.7 | [IBM Java SDK for January 2022 CPU](<https://www.ibm.com/support/pages/node/6559306>) | Not affected | 9.0,8.5,Liberty \n| CVE-2021-35578 | 5.3 | [IBM Java SDK for October 2021 CPU](<https://www.ibm.com/support/pages/node/6520468>) | Not affected | 9.0, 8.5, Liberty \n| CVE-2021-35564 | 5.3 | [IBM Java SDK for October 2021 CPU](<https://www.ibm.com/support/pages/node/6520468>) | Not affected | 9.0, 8.5, Liberty \n| CVE-2021-35550 | 5.9 | [IBM Java SDK for January 2022 CPU](<https://www.ibm.com/support/pages/node/6559306>) | Not affected | 9.0,8.5,Liberty \n| CVE-2021-35517 | 5.5 | [Denial of Service](<https://www.ibm.com/support/pages/node/6489683>) | Not affected | Liberty \n| CVE-2021-34798 | 5.9 | Not affected | [Denial of service](<https://www.ibm.com/support/pages/node/6493841>) | 9.0 \n| CVE-2021-30641 | 5.3 | Not affected | [Weaker Security](<https://www.ibm.com/support/pages/node/6464029>) | 9.0, 8.5, 8.0, 7.0 \n| CVE-2021-29842 | 3.7 | [Information Disclosure](<https://www.ibm.com/support/pages/node/6489485>) | Not affected | 9.0,8.5,8.0,7.0,Liberty \n| CVE-2021-29754 | 4.2 | [Privilege Escalation](<https://www.ibm.com/support/pages/node/6462627>) | Not affected | 9.0, 8.5, 8.0. 7.0 \n| CVE-2021-29736 | 5.0 | [Privilege Escalation](<https://www.ibm.com/support/pages/node/6476678>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2021-26691 | 5.9 | Not affected | [Heap Buffer Overflow](<https://www.ibm.com/support/pages/node/6467651>) | 9.0 \n| CVE-2021-26690 | 3.7 | Not affected | [Denial of Service](<https://www.ibm.com/support/pages/node/6467651>) | 9.0 \n| CVE-2021-26296 | 8.8 | [Cross-site request forgery](<https://www.ibm.com/support/pages/node/6441433>) | Not affected | 9.0, 8.5, 8.0, Liberty \n| CVE-2021-23450 | 9.8 | [Remote Code Execution](<https://www.ibm.com/support/pages/node/6558594>) | Not affected | 9.0,8.5,8.0,7.0,Liberty \n| CVE-2021-20517 | 6.4 | [Directory Traversal](<https://www.ibm.com/support/pages/node/6456955>) | Not affected | 9.0, 8.5 \n| CVE-2021-20492 | 6.5 | [XXE vulnerability](<https://www.ibm.com/support/pages/node/6456017>) | Not affected | 9.0, 8.5, 8.0, Liberty \n| CVE-2021-20480 | 4.3 | [Server-side request forgery](<https://www.ibm.com/support/pages/node/6441063>) | Not affected | 8.5, 8.0, 7.0 \n| CVE-2021-20454 | 8.2 | [XXE vulnerability](<https://www.ibm.com/support/pages/node/6445481>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2021-20453 | 8.2 | [XXE vulnerability](<https://www.ibm.com/support/pages/node/6445171>) | Not affected | 9.0, 8.5, 8.0 \n| CVE-2021-20354 | 5.9 | [Directory traversal](<https://www.ibm.com/support/pages/node/6415959>) | Not affected | 9.0, 8.5, 8.0 \n| CVE-2021-20353 | 8.2 | [XXE vulnerability](<https://www.ibm.com/support/pages/node/6413709>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2021-4104 | 8.1 | [Remote Code Execution](<https://www.ibm.com/support/pages/node/6526750>) | Not affected | 9.0,8.5,8.0,7.0,Liberty \n| CVE-2021-2369 | 4.3 | [IBM Java SDK for July 2021 CPU](<https://www.ibm.com/support/pages/node/6481135>) | Not affected | 9.0, 8.5, Liberty \n| CVE-2021-2161 | 5.9 | [IBM Java SDK for April 2021 CPU](<https://www.ibm.com/support/pages/node/6454853>) | Not affected | 9.0, 8.5, Liberty \n \n**2020 CVEs**\n\n**Name **\n\n| \n\n**CVE**\n\n| \n\n**CVSS Score**\n\n| \n\n**WebSphere Application Server Bulletin or Assessment**\n\n| \n\n**IBM HTTP Server Bulletin or Assessment**\n\n| \n\n**Versions Affected** \n \n---|---|---|---|---|--- \n| CVE-2020-27221 | 9.8 | [IBM Java SDK for January 2021 CPU](<https://www.ibm.com/support/pages/node/6415639>) | Not affected | 9.0,8.5,Liberty \n| CVE-2020-14797 | 3.7 | [IBM Java SDK for October 2020 CPU](<https://www.ibm.com/support/pages/node/6379260>) | Not affected | 9.0,8.5,Liberty \n| CVE-2020-14782 | 3.7 | [IBM Java SDK for January 2021 CPU](<https://www.ibm.com/support/pages/node/6415639>) | Not affected | 9.0,8.5,Liberty \n| CVE-2020-14781 | 3.7 | [IBM Java SDK for January 2021 CPU](<https://www.ibm.com/support/pages/node/6415639>) | Not affected | 9.0,8.5,Liberty \n| CVE-2020-14621 | 5.3 | [IBM Java SDK for July 2020 CPU](<https://www.ibm.com/support/pages/node/6256732>) | Not affected | 9.0,8.5,Liberty \n| CVE-2020-14581 | 3.7 | [IBM Java SDK for July 2020 CPU](<https://www.ibm.com/support/pages/node/6256732>) | Not affected | 9.0,8.5,Liberty \n| CVE-2020-14579 | 3.7 | [IBM Java SDK for July 2020 CPU](<https://www.ibm.com/support/pages/node/6256732>) | Not affected | 9.0,8.5,Liberty \n| CVE-2020-14578 | 3.7 | [IBM Java SDK for July 2020 CPU](<https://www.ibm.com/support/pages/node/6256732>) | Not affected | 9.0,8.5,Liberty \n| CVE-2020-14577 | 3.7 | [IBM Java SDK for July 2020 CPU](<https://www.ibm.com/support/pages/node/6256732>) | Not affected | 9.0,8.5,Liberty \n| CVE-2020-13938 | 6.2 | Not affected | [Denial of Service](<https://www.ibm.com/support/pages/node/6464029>) | 9.0, 8.5, 8.0, 7.0 \n| CVE-2020-11985 | 5.3 | Not affected | [Spoofing Vulnerability](<https://www.ibm.com/support/pages/node/6324789>) | 9.0 \n| CVE-2020-10693 | 5.3 | [Bypass security](<https://www.ibm.com/support/pages/node/6348216>) | Not affected | Liberty \n| CVE-2020-5258 | 7.5 | [Information Disclosure](<https://www.ibm.com/support/pages/node/6443101>) | Not affected | 9.0, 8.5, 8.0, Liberty \n| CVE-2020-5016 | 5.3 | [Directory traversal](<https://www.ibm.com/support/pages/node/6427873>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2020-4949 | 8.2 | [XXE vulnerability](<https://www.ibm.com/support/pages/node/6408244>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2020-4782 | 6.5 | [Directory Traversal](<https://www.ibm.com/support/pages/node/6356083>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2020-4643 | 7.5 | [Information Disclosure](<https://www.ibm.com/support/pages/node/6334311>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2020-4629 | 2.9 | [Information Disclosure](<https://www.ibm.com/support/pages/node/6339255>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2020-4590 | 5.3 | [Denial of Service](<https://www.ibm.com/support/pages/node/6333623>) | Not affected | Liberty \n| CVE-2020-4589 | 8.1 | [Remote Code Execution](<https://www.ibm.com/support/pages/node/6258333>) | Not affected | 9.0,8.5,8.0,7.0 \n| CVE-2020-4578 | 5.4 | [Cross-site scripting](<https://www.ibm.com/support/pages/node/6328895>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2020-4576 | 5.3 | [Information Disclosure](<https://www.ibm.com/support/pages/node/6339807>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2020-4575 | 4.7 | [Cross-site scripting](<https://www.ibm.com/support/pages/node/6323293>) | Not affected | 9.0, 8.5, 8.0VE, 7.0VE \n| CVE-2020-4534 | 7.8 | [Remote Code Execution](<https://www.ibm.com/support/pages/node/6255074>) | Not affected | 9.0,8.5,8.0,7.0 \n| CVE-2020-4464 | 8.8 | [Remote Code Execution](<https://www.ibm.com/support/pages/node/6250059>) | Not affected | 9.0,8.5,8.0,7.0 \n| CVE-2020-4450 | 9.8 | [Remote Code Execution](<https://www.ibm.com/support/pages/node/6220294>) | Not affected | 9.0,8.5 \n| CVE-2020-4449 | 7.5 | [Information Disclosure](<https://www.ibm.com/support/pages/node/6220296>) | Not affected | 9.0, 8.5, 8.0,7.0 \n| CVE-2020-4448 | 9.8 | [Remote Code Execution](<https://www.ibm.com/support/pages/node/6220336>) | Not affected | 9.0, 8.5, 8.0VE, 7.0VE \n| CVE-2020-4421 | 5.0 | [Identity spoofing](<https://www.ibm.com/support/pages/node/6205926>) | Not affected | Liberty \n| CVE-2020-4365 | 5.3 | [Server-side request forgery](<https://www.ibm.com/support/pages/node/6209099>) | Not affected | 8.5 \n| CVE-2020-4362 | 7.5 | [Privilege Escalation](<https://www.ibm.com/support/pages/node/6174417>) | Not affected | 9.0,8.5,8.0,7.0 \n| CVE-2020-4329 | 4.3 | [Information Disclosure](<https://www.ibm.com/support/pages/node/6201862>) | Not affected | 9.0,8.5,8.0,7.0,Liberty \n| CVE-2020-4304 | 6.1 | [Cross-site scripting](<https://www.ibm.com/support/pages/node/6147195>) | Not affected | Liberty \n| CVE-2020-4303 | 6.1 | [Cross-site scripting](<https://www.ibm.com/support/pages/node/6147195>) | Not affected | Liberty \n| CVE-2020-4276 | 7.5 | [Privilege Escalation](<https://www.ibm.com/support/pages/node/6118222>) | Not affected | 9.0,8.5,8.0,7.0 \n| CVE-2020-4163 | 6.6 | [Command Execution](<https://www.ibm.com/support/pages/node/1288786>) | Not affected | 9.0,8.5,8.0,7.0 \n| CVE-2020-2800 | 4.8 | [IBM Java SDK for April 2020 CPU](<https://www.ibm.com/support/pages/node/6206850>) | Not affected | 9.0,8.5,Liberty \n| CVE-2020-2781 | 5.3 | [IBM Java SDK for April 2020 CPU](<https://www.ibm.com/support/pages/node/6206850>) | Not affected | 9.0,8.5,Liberty \n| CVE-2020-2773 | 3.7 | [IBM Java SDK for January 2021 CPU](<https://www.ibm.com/support/pages/node/6415639>) | Not affected | 9.0,8.5,Liberty \n| CVE-2020-2755 | 3.7 | [IBM Java SDK for April 2020 CPU](<https://www.ibm.com/support/pages/node/6206850>) | Not affected | 9.0,8.5,Liberty \n| CVE-2020-2754 | 3.7 | [IBM Java SDK for April 2020 CPU](<https://www.ibm.com/support/pages/node/6206850>) | Not affected | 9.0,8.5,Liberty \n| CVE-2020-2654 | 3.7 | [IBM Java SDK for April 2020 CPU](<https://www.ibm.com/support/pages/node/6206850>) | Not affected | 9.0,8.5,Liberty \n| CVE-2020-2601 | 6.8 | [IBM Java SDK for July 2020 CPU](<https://www.ibm.com/support/pages/node/6256732>) | Not affected | 9.0,8.5,Liberty \n| CVE-2020-2593 | 4.8 | [IBM Java SDK for January 2020 CPU](<https://www.ibm.com/support/pages/node/1289194>) | Not affected | 9.0,8.5,Liberty \n| CVE-2020-2590 | 3.7 | [IBM Java SDK for July 2020 CPU](<https://www.ibm.com/support/pages/node/6256732>) | Not affected | 9.0,8.5,Liberty \n| CVE-2020-1934 | 8.1 | Not affected | [Denial of Service](<https://www.ibm.com/support/pages/node/6191631>) | 9.0,8.5,8.0,7.0 \n| CVE-2020-1927 | 7.4 | Not affected | [Phishing attack](<https://www.ibm.com/support/pages/node/6191631>) | 9.0,8.5,8.0,7.0 \n \n**2019 CVEs**\n\n**Name **\n\n| \n\n**CVE**\n\n| \n\n**CVSS Score**\n\n| \n\n**WebSphere Application Server Bulletin or Assessment**\n\n| \n\n**IBM HTTP Server Bulletin or Assessment**\n\n| \n\n**Versions Affected** \n \n---|---|---|---|---|--- \n| CVE-2019-17573 | 6.1 | [Cross-site Scripting](<https://www.ibm.com/support/pages/node/6100132>) | Not affected | Liberty \n| CVE-2019-17566 | 7.5 | [Server-side request forgery](<https://www.ibm.com/support/pages/node/6322683>) | Not affected | 9.0,8.5,8.0 \n| CVE-2019-17495 | 5.3 | [Information Disclosure](<https://www.ibm.com/support/pages/node/1274596>) | Not affected | Liberty \n| CVE-2019-12402 | 4.3 | [Denial of Service](<https://www.ibm.com/support/pages/node/1074156>) | Not affected | Liberty \n| CVE-2019-12406 | 5.3 | [Denial of Service](<https://www.ibm.com/support/pages/node/1288774>) | Not affected | 9.0,Liberty \n| CVE-2019-11777 | 7.5 | [Spoofing vulnerability](<https://www.ibm.com/support/pages/node/6602039>) | Not affected | Liberty \n| CVE-2019-10098 | 3.7 | Not affected | [Phishing attack](<https://www.ibm.com/support/pages/node/964768>) | 9.0, 8.5, 8.0, 7.0 \n| CVE-2019-10092 | 4.7 | Not affected | [Cross-site scripting](<https://www.ibm.com/support/pages/node/964768>) | 9.0, 8.5, 8.0, 7.0 \n| CVE-2019-10086 | 5.3 | [Unauthorized Access](<https://www.ibm.com/support/pages/node/1115085>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2019-9518 | 7.5 | [Denial of Service](<https://www.ibm.com/support/pages/node/1072860>) | Not affected | Liberty \n| CVE-2019-9517 | 7.5 | [Denial of Service](<https://www.ibm.com/support/pages/node/1072860>) | Not affected | Liberty \n| CVE-2019-9515 | 7.5 | [Denial of Service](<https://www.ibm.com/support/pages/node/1072860>) | Not affected | Liberty \n| CVE-2019-9514 | 7.5 | [Denial of Service](<https://www.ibm.com/support/pages/node/1072860>) | Not affected | Liberty \n| CVE-2019-9513 | 7.5 | [Denial of Service](<https://www.ibm.com/support/pages/node/1072860>) | Not affected | Liberty \n| CVE-2019-9512 | 7.5 | [Denial of Service](<https://www.ibm.com/support/pages/node/1072860>) | Not affected | Liberty \n| CVE-2019-4732 | 7.2 | [IBM Java SDK for January 2020 CPU](<https://www.ibm.com/support/pages/node/1289194>) | Not affected | 9.0,8.5,Liberty \n| CVE-2019-4720 | 7.5 | [Denial of Service](<https://www.ibm.com/support/pages/node/1285372>) | Not affected | 9.0, 8.5, 8.0, 7.0 Liberty \n| CVE-2019-4670 | 6.5 | [Information Disclosure](<https://www.ibm.com/support/pages/node/1289152>) | Not affected | 9.0,8.5,8.0,7.0 \n| CVE-2019-4663 | 5.4 | [Cross-site scripting](<https://www.ibm.com/support/pages/node/1127367>) | Not affected | Liberty \n| CVE-2019-4505 | 3.7 | [Information Disclosure](<https://www.ibm.com/support/pages/node/964766>) | Not affected | 9.0, 8.5, 7.0Virtual Enterprise \n| CVE-2019-4477 | 5.3 | [Information Disclosure](<https://www.ibm.com/support/pages/node/960290>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2019-4442 | 4.3 | [Path Traversal](<https://www.ibm.com/support/pages/node/959021>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2019-4441 | 5.3 | [Information disclosure](<https://www.ibm.com/support/pages/node/959023>) | Not affected | 9.0, 8.5, 8.0, 7.0 Liberty \n| CVE-2019-4305 | 5.3 | [Information disclosure](<https://www.ibm.com/support/pages/node/960171>) | Not affected | Liberty \n| CVE-2019-4304 | 6.3 | [Bypass security](<https://www.ibm.com/support/pages/node/960171>) | Not affected | Liberty \n| CVE-2019-4285 | 5.4 | [Clickjacking vulnerability](<https://www-01.ibm.com/support/docview.wss?uid=ibm10884064>) | Not affected | Liberty \n| CVE-2019-4279 | 9.0 | [Remote Code Execution](<https://www-01.ibm.com/support/docview.wss?uid=ibm10883628>) | Not affected | 9.0, 8.5, 7.0Virtual Enterprise \n| CVE-2019-4271 | 3.5 | [HTTP Parameter Pollution](<https://www.ibm.com/support/pages/node/884040>) | Not affected | 9.0, 8.5, 7.0Virtual Enterprise \n| CVE-2019-4270 | 5.4 | [Cross-site scripting](<https://www.ibm.com/support/pages/node/884036>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2019-4269 | 5.3 | [Information Disclosure](<https://www-01.ibm.com/support/docview.wss?uid=ibm10884032>) | Not affected | 9.0 \n| CVE-2019-4268 | 5.3 | [Path Traversal](<https://www.ibm.com/support/pages/node/884030>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2019-4080 | 6.5 | [Denial of Service](<https://www-01.ibm.com/support/docview.wss?uid=ibm10875692>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2019-4046 | 5.9 | [Denial of Service](<http://www-01.ibm.com/support/docview.wss?uid=ibm10869570>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2019-4030 | 5.4 | [Cross-site scripting](<http://www-01.ibm.com/support/docview.wss?uid=ibm10869406>) | Not affected | 9.0, 8.5, 8.0VE, 7.0VE \n| CVE-2019-2989 | 6.8 | [IBM Java SDK for October 2019 CPU](<https://www.ibm.com/support/pages/node/1126887>) | Not affected | 9.0, 8.5, Liberty \n| CVE-2019-2949 | 6.8 | [IBM Java SDK for April 2020 CPU](<https://www.ibm.com/support/pages/node/6206850>) | Not affected | 9.0,8.5,Liberty \n| CVE-2019-2426 | 3.7 | [IBM Java SDK for January 2019 CPU](<https://www-01.ibm.com/support/docview.wss?uid=ibm10873042>) | Not affected | 9.0, 8.5, Liberty \n| CVE-2019-0220 | 5.3 | Not affected | [Weaker Security](<https://www-01.ibm.com/support/docview.wss?uid=ibm10880413>) | 9.0, 8.5, 8.0, 7.0 \n| CVE-2019-0211 | 8.2 | Not affected | [Privilege Escalation](<https://www-01.ibm.com/support/docview.wss?uid=ibm10880413>) | 9.0 \n \n**2018 CVEs**\n\n**Name **\n\n| \n\n**CVE**\n\n| \n\n**CVSS Score**\n\n| \n\n**WebSphere Application Server Bulletin or Assessment**\n\n| \n\n**IBM HTTP Server Bulletin or Assessment**\n\n| \n\n**Versions Affected** \n \n---|---|---|---|---|--- \n| N/A | 8.1 | [Remote code execution in JSF](<http://www-01.ibm.com/support/docview.wss?uid=ibm10716525>) | Not affected | 8.5, 8.0, 7.0 \n| CVE-2018-25031 | 5.4 | [Spoofing vulnerability](<https://www.ibm.com/support/pages/node/6569505>) | Not affected | Liberty \n| CVE-2018-20843 | 3.3 | Not affected | [Denial of service](<https://www.ibm.com/support/pages/node/964768>) | 9.0, 8.5, 8.0, 9.0 \n| CVE-2018-17199 | 5.3 | Not affected | [Bypass security ](<http://www-01.ibm.com/support/docview.wss?uid=ibm10869064>) | 9.0 \n| CVE-2018-12547 | 9.8 | [IBM Java SDK for January 2019 CPU](<https://www-01.ibm.com/support/docview.wss?uid=ibm10873042>) | Not affected | 9.0, 8.5, Liberty \n| CVE-2018-12539 | 8.4 | [IBM Java SDK for July 2018 CPU](<https://www-01.ibm.com/support/docview.wss?uid=ibm10729349>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2018-10237 | 7.5 | \n\n[Denial of service](<https://www-01.ibm.com/support/docview.wss?uid=ibm10795696>)\n\n| Not affected | 9.0, 8.5, Liberty \n| CVE-2018-8039 | 7.5 | [Man-in-the-Middle](<https://www-01.ibm.com/support/docview.wss?uid=ibm10720065>) | Not affected | 9.0 Liberty \n| CVE-2018-3180 | 5.6 | [IBM Java SDK for October 2018 CPU](<https://www-01.ibm.com/support/docview.wss?uid=ibm10729607>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2018-3139 | 3.1 | [IBM Java SDK for October 2018 CPU](<https://www-01.ibm.com/support/docview.wss?uid=ibm10729607>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2018-2800 | 4.2 | [IBM Java SDK for April 2018 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg22016282>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2018-2783 | 7.4 | [IBM Java SDK for April 2018 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg22016282>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2018-2637 | 7.4 | [IBM Java SDK for January 2018 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg22013818>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2018-2634 | 6.8 | [IBM Java SDK for January 2018 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg22013818>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2018-2633 | 8.3 | [IBM Java SDK for January 2018 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg22013818>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2018-2603 | 5.3 | [IBM Java SDK for January 2018 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg22013818>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2018-2602 | 4.5 | [IBM Java SDK for January 2018 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg22013818>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2018-2579 | 3.7 | [IBM Java SDK for January 2018 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg22013818>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2018-1996 | 5.3 | [Weaker Security](<https://www-01.ibm.com/support/docview.wss?uid=ibm10793421>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2018-1957 | 4.0 | [Information Disclosure](<https://www-01.ibm.com/support/docview.wss?uid=ibm10744247>) | Not affected | 9.0 \n| CVE-2018-1926 | 4.3 | [Cross-site Request Forgery](<http://www-01.ibm.com/support/docview.wss?uid=ibm10742301>) | Not affected | 9.0, 8.5 \n| CVE-2018-1905 | 7.1 | [XXE vulnerability](<http://www-01.ibm.com/support/docview.wss?uid=ibm10738721>) | Not affected | 9.0 \n| CVE-2018-1904 | 8.1 | [Remote Code execution](<http://www-01.ibm.com/support/docview.wss?uid=ibm10738735>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2018-1902 | 3.1 | [Spoofing Vulnerability](<https://www-01.ibm.com/support/docview.wss?uid=ibm10795115>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2018-1901 | 5.0 | [Privilege Escalation](<http://www-01.ibm.com/support/docview.wss?uid=ibm10738727>) | Not affected | 9.0, 8.5, Liberty \n| CVE-2018-1890 | 5.6 | [IBM Java SDK for January 2019 CPU](<https://www-01.ibm.com/support/docview.wss?uid=ibm10873042>) | Not affected | 9.0, 8.5, Library \n| CVE-2018-1851 | 7.3 | [Code execution](<https://www-01.ibm.com/support/docview.wss?uid=ibm10735105>) | Not affected | Liberty \n| CVE-2018-1840 | 6.0 | [Privilege escalation](<http://www-01.ibm.com/support/docview.wss?uid=ibm10735767>) | Not affected | \n\n9.0, 8.5 \n \n| CVE-2018-1798 | 6.1 | [Cross-site scripting](<http://www-01.ibm.com/support/docview.wss?uid=ibm10730703>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2018-1797 | 6.3 | [Directory traversal](<http://www-01.ibm.com/support/docview.wss?uid=ibm10730699>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2018-1794 | 6.1 | [Cross-site scripting](<https://www-01.ibm.com/support/docview.wss?uid=ibm10729571>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2018-1793 | 6.1 | [Cross-site scripting](<https://www-01.ibm.com/support/docview.wss?uid=ibm10729563>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2018-1777 | 5.4 | [Cross-site scripting](<https://www-01.ibm.com/support/docview.wss?uid=ibm10730631>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2018-1770 | 6.5 | [Directory traversal](<https://www-01.ibm.com/support/docview.wss?uid=ibm10729521>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2018-1767 | 6.1 | [Cross-site scripting](<https://www-01.ibm.com/support/docview.wss?uid=ibm10729547>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2018-1755 | 5.9 | [Information Disclosure](<https://www-01.ibm.com/support/docview.wss?uid=ibm10728689>) | Not affected | Liberty \n| CVE-2018-1719 | 5.9 | [Weaker security](<https://www-01.ibm.com/support/docview.wss?uid=ibm10718837>) | Not affected | 9.0, 8.5 \n| CVE-2018-1695 | 7.3 | [Spoofing vulnerability](<https://www-01.ibm.com/support/docview.wss?uid=ibm10716523>) | Not affected | 8.5, 8.0, 7.0 \n| CVE-2018-1683 | 5.9 | [Information disclosure](<https://www-01.ibm.com/support/docview.wss?uid=ibm10716533>) | Not affected | Liberty \n| CVE-2018-1656 | 7.4 | [IBM Java SDK for July 2018 CPU](<https://www-01.ibm.com/support/docview.wss?uid=ibm10729349>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2018-1643 | 6.1 | [Cross-site Scripting](<https://www-01.ibm.com/support/docview.wss?uid=ibm10716857>) | Not affected | 9.0, 8.5, 8.0 \n| CVE-2018-1626 | 4.3 | [Cross-site Request Forgery](<http://www-01.ibm.com/support/docview.wss?uid=ibm10742301>) | Not affected | 9.0, 8.5 \n| CVE-2018-1621 | 4.4 | [Information disclosure](<http://www-01.ibm.com/support/docview.wss?uid=swg22016821>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2018-1614 | 5.8 | [Information disclosure](<http://www-01.ibm.com/support/docview.wss?uid=swg22016887>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2018-1567 | 9.8 | [Code execution](<https://www-01.ibm.com/support/docview.wss?uid=swg22016254>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2018-1553 | 5.3 | [Information disclosure](<http://www-01.ibm.com/support/docview.wss?uid=swg22016218>) | Not affected | Liberty \n| CVE-2018-1447 | 5.1 | Not affected | [Vulnerability in GSKit Component](<http://www-01.ibm.com/support/docview.wss?uid=swg22015347>) | 9.0, 8.5, 8.0, 7.0 \n| CVE-2018-1427 | 6.2 | Not affected | [Vulnerability in GSKit Component](<http://www-01.ibm.com/support/docview.wss?uid=swg22015347>) | 9.0, 8.5, 8.0, 7.0 \n| CVE-2018-1426 | 7.4 | Not affected | [Vulnerability in GSKit Component](<http://www-01.ibm.com/support/docview.wss?uid=swg22015347>) | 9.0, 8.5, 8.0, 7.0 \nROBOT | CVE-2018-1388 | 9.1 | Not affected | [Information Disclosure](<http://www-01.ibm.com/support/docview.wss?uid=swg22014196>) | 7.0 \n| CVE-2018-1301 | 5.3 | Not affected | [Denial of service](<http://www-01.ibm.com/support/docview.wss?uid=swg22015344>) | 9.0, 8.5, 8.0, 7.0 \n \n**2017 CVEs**\n\n**Name **\n\n| \n\n**CVE**\n\n| \n\n**CVSS Score**\n\n| \n\n**WebSphere Application Server Bulletin or Assessment**\n\n| \n\n**IBM HTTP Server Bulletin or Assessment**\n\n| \n\n**Versions Affected** \n \n---|---|---|---|---|--- \n| CVE-2017-15715 | 3.7 | Not affected | [Weaker security](<http://www-01.ibm.com/support/docview.wss?uid=swg22015344>) | 9.0, 8.5, 8.0, 7.0 \n| CVE-2017-15710 | 5.3 | Not affected | [Denial of Service](<http://www-01.ibm.com/support/docview.wss?uid=swg22015344>) | 9.0, 8.5, 8.0, 7.0 \n| CVE-2017-12624 | 5.3 | [Denial of Service](<http://www-01.ibm.com/support/docview.wss?uid=swg22013597>) | Not affected | 9.0, Liberty \n| CVE-2017-12618 | 5.5 | Not affected | [Denial of Service](<http://www-01.ibm.com/support/docview.wss?uid=swg22009782>) | 9.0, 8.5, 8.0, 7.0 \n| CVE-2017-12613 | 9.1 | Not affected | [Denial of Service](<http://www-01.ibm.com/support/docview.wss?uid=swg22013598>) | 9.0, 8.5, 8.0, 7.0 \n| CVE-2017-10388 | 7.5 | [IBM Java SDK for October 2017 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg22010560>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2017-10356 | 6.2 | [IBM Java SDK for October 2017 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg22010560>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2017-10116 | 8.3 | [IBM Java SDK for July 2017 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg22007002>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2017-10115 | 7.5 | [IBM Java SDK for July 2017 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg22007002>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2017-10102 | 9.0 | [IBM Java SDK for July 2017 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg22007002>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2017-9798 | 7.5 | Not affected | [Information Disclosure](<http://www-01.ibm.com/support/docview.wss?uid=swg22009782>) | 9.0, 8.5, 8.0, 7.0 \n| CVE-2017-7679 | 5.3 | Not affected | [Information Disclosure](<http://www-01.ibm.com/support/docview.wss?uid=swg22005280>) | 9.0, 8.5, 8.0, 7.0 \n| CVE-2017-7668 | 5.3 | Not affected | [Denial of Service](<http://www-01.ibm.com/support/docview.wss?uid=swg22005280>) | 9.0, 8.5, 8.0, 7.0 \n| CVE-2017-5638 | 7.3 | [Not affected bulletin](<http://www-01.ibm.com/support/docview.wss?uid=swg22000122>) | [Not affected bulletin](<http://www-01.ibm.com/support/docview.wss?uid=swg22000122>) | \n| CVE-2017-3736 | 5.9 | Not affected | [Vulnerability in GSKit Component](<http://www-01.ibm.com/support/docview.wss?uid=swg22015347>) | 9.0, 8.5, 8.0, 7.0 \n| CVE-2017-3732 | 5.3 | Not affected | [Vulnerability in GSKit Component](<http://www-01.ibm.com/support/docview.wss?uid=swg22015347>) | 9.0, 8.5, 8.0, 7.0 \n| CVE-2017-3511 | 7.7 | [IBM Java SDK for April 2017 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg22003016>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2017-3167 | 5.3 | Not affected | [Bypass security](<http://www-01.ibm.com/support/docview.wss?uid=swg22005280>) | 9.0, 8.5, 8.0, 7.0 \n| CVE-2017-1788 | 5.3 | [Spoofing](<http://www-01.ibm.com/support/docview.wss?uid=swg22012341>) | Not affected | 9.0, Liberty \n| CVE-2017-1743 | 4.3 | [Information Disclosure](<http://www-01.ibm.com/support/docview.wss?uid=swg22013601>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2017-1741 | 4.3 | [Information Disclosure](<http://www-01.ibm.com/support/docview.wss?uid=swg22012342>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2017-1731 | 8.8 | [Privilege escalation](<http://www-01.ibm.com/support/docview.wss?uid=swg22012345>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2017-1681 | 4.0 | [Information Disclosure](<http://www-01.ibm.com/support/docview.wss?uid=swg22010419>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2017-1583 | 5.3 | [Information Disclosure](<http://www-01.ibm.com/support/docview.wss?uid=swg22008707>) | Not affected | 8.5, 8.0, Liberty \n| CVE-2017-1504 | 5.3 | [Weaker security](<http://www-01.ibm.com/support/docview.wss?uid=swg22006803>) | Not affected | 9.0 \n| CVE-2017-1503 | 6.1 | [HTTP response splitting](<http://www-01.ibm.com/support/docview.wss?uid=swg22006815>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2017-1501 | 5.9 | [Weaker security](<http://www-01.ibm.com/support/docview.wss?uid=swg22006810>) | Not affected | 9.0, 8.5, 8.0 \n| CVE-2017-1382 | 5.1 | [Insecure file permissions](<http://www-01.ibm.com/support/docview.wss?uid=swg22004785>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2017-1381 | 2.9 | [Information disclosure](<http://www-01.ibm.com/support/docview.wss?uid=swg22004792>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2017-1380 | 5.4 | [Cross-site scripting](<http://www-01.ibm.com/support/docview.wss?uid=swg22004786>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2017-1194 | 4.3 | [Cross-site request forgery](<http://www-01.ibm.com/support/docview.wss?uid=swg22001226>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2017-1151 | 8.1 | [Privilege escalation](<http://www-01.ibm.com/support/docview.wss?uid=swg21999293>) | Not affected | 9.0, 8.5, 8.0 \n| CVE-2017-1137 | 5.9 | [Weaker security](<http://www-01.ibm.com/support/docview.wss?uid=swg21998469>) | Not affected | 8.5, 8.0 \n| CVE-2017-1121 | 5.4 | [Cross-site scripting vulnerability](<http://www-01.ibm.com/support/docview.wss?uid=swg21997743>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n \n**2016 CVEs**\n\n**Name **\n\n| \n\n**CVE**\n\n| \n\n**CVSS Score**\n\n| \n\n**WebSphere Application Server Bulletin or Assessment**\n\n| \n\n**IBM HTTP Server Bulletin or Assessment**\n\n| \n\n**Versions Affected** \n \n---|---|---|---|---|--- \n| CVE-2016-1000031 | 9.8 | [Execute Code](<http://www-01.ibm.com/support/docview.wss?uid=swg22011428>) | Not affected | 9.0, 8.5, 8.0, Liberty \n| CVE-2016-9736 | 3.7 | [Information Disclosure](<http://www-01.ibm.com/support/docview.wss?uid=swg21991469>) | Not affected | 9.0, 8.5, 8.0 \n| CVE-2016-8934 | 5.4 | [Cross-site scripting vulnerability](<http://www-01.ibm.com/support/docview.wss?uid=swg21992315>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2016-8919 | 5.9 | [Denial of service](<http://www-01.ibm.com/support/docview.wss?uid=swg21993797>) | Not affected | 9.0,8.5, 8.0, 7.0 \n| CVE-2016-8743 | 6.1 | Not affected | [Response splitting attack](<http://www-01.ibm.com/support/docview.wss?uid=swg21996847>) | 9.0,8.5, 8.0, 7.0 \n| CVE-2016-7056 | 4.0 | Not affected | [Vulnerability in GSKit Component](<http://www-01.ibm.com/support/docview.wss?uid=swg22015347>) | 9.0, 8.5, 8.0, 7.0 \n| CVE-2016-5986 | 3.7 | [Information Disclosure](<http://www-01.ibm.com/support/docview.wss?uid=swg21990056>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2016-5983 | 7.5 | [Gain Privileges](<http://www-01.ibm.com/support/docview.wss?uid=swg21990060>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2016-5597 | 5.9 | [IBM Java SDK for October 2016 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21993440>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2016-5573 | 8.3 | [IBM Java SDK for October 2016 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21993440>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2016-5549 | 6.5 | [IBM Java SDK for January 2017 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21998379>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2016-5548 | 6.5 | [IBM Java SDK for January 2017 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21998379>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2016-5547 | 5.3 | [IBM Java SDK for January 2017 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21998379>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2016-5546 | 7.5 | [IBM Java SDK for January 2017 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21998379>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \nHTTPOXY | CVE-2016-5387 | 8.1 | Not affected | [Redirect HTTP traffic](<http://www-01.ibm.com/support/docview.wss?uid=swg21988019>) | 9.0, 8.5, 8.0, 7.0 \n| CVE-2016-4975 | 6.1 | Not affected | Superseded by CVE-2016-8743 | 9.0, 8.5, 8.0, 7.0 \n| CVE-2016-4472 | 5.3 | Not affected | [Denial of Service with Expat](<http://www-01.ibm.com/support/docview.wss?uid=swg21988026>) | 9.0, 8.5, 8.0, 7.0 \n| CVE-2016-3485 | 2.9 | [IBM Java SDK for July 2016 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21988339>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2016-3427 | 10 | [IBM Java SDK for April 2016 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21982223>) | Not affected | 8.5, 8.0, 7.0, Liberty \n| CVE-2016-3426 | 4.3 | [IBM Java SDK for April 2016 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21982223>) | Not affected | 8.5, 8.0, 7.0, Liberty \n| CVE-2016-3092 | 5.3 | [Apache Commons FileUpload Vulnerability](<http://www-01.ibm.com/support/docview.wss?uid=swg21987864>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2016-3042 | 5.4 | [Cross-site scripting vulnerability](<http://www-01.ibm.com/support/docview.wss?uid=swg21986716>) | Not affected | Liberty \n| CVE-2016-3040 | 6.3 | [Open Redirect Vulnerability](<http://www-01.ibm.com/support/docview.wss?uid=swg21986715>) | Not affected | Liberty \n| CVE-2016-2960 | 3.7 | [Denial of Service with SIP Services](<http://www-01.ibm.com/support/docview.wss?uid=swg21984796>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2016-2945 | 5.0 | [Weaker security in Liberty API discovery feature](<http://www-01.ibm.com/support/docview.wss?uid=swg21984502>) | Not affected | Liberty \n| CVE-2016-2923 | 5.3 | [Information Disclosure vulnerability](<http://www-01.ibm.com/support/docview.wss?uid=swg21983700>) | Not affected | Liberty \nSWEET32 | CVE-2016-2183 | 3.7 | [IBM Java SDK for January 2017 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21998379>) | [IBM HTTP Server and Sweet32](<http://www-01.ibm.com/support/docview.wss?uid=swg21991548>) (21 Dec 2017) | 9.0 8.5, 8.0, 7.0, Liberty \n| CVE-2016-1182 \n \nCVE-2016-1182 | 4.8 \n \n4.8 | [Bypass Security Restrictions](<http://www-01.ibm.com/support/docview.wss?uid=swg21985995>) \n[Bypass Security Restrictions UDDI](<http://www-01.ibm.com/support/docview.wss?uid=swg22016214>) (21 June 2018) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2016-1181 \n \nCVE-2016-1181 | 8.1 \n \n8.1 | [Execute Code](<http://www-01.ibm.com/support/docview.wss?uid=swg21985995>) \n \n[Execute Code UDDI](<http://www-01.ibm.com/support/docview.wss?uid=swg22016214>) (21 June 2018) | Not affected \n \nNot affected | 9.0, 8.5, 8.0, 7.0 \n9.0, 8.5. 8.0, 7.0 \nDROWN | CVE-2016-0800 | | [Not affected bulletin](<http://www-01.ibm.com/support/docview.wss?uid=swg21978292>) | [Not affected bulletin](<http://www-01.ibm.com/support/docview.wss?uid=swg21978317>) | \n| CVE-2016-0718 | 9.8 | Not affected | [Denial of Service with Expat](<http://www-01.ibm.com/support/docview.wss?uid=swg21988026>) (13 Sept 2016) | 9.0, 8.5, 8.0, 7.0 \n| CVE-2016-0702 | 2.9 | Not affected | [Vulnerability in GSKit Component](<http://www-01.ibm.com/support/docview.wss?uid=swg22015347>) | 9.0, 8.5, 8.0 \n| CVE-2016-0488 | 4.0 | [IBM Java SDK for January 2016 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21975424>) | Not affected | 8.5, 8.0, 7.0, Liberty \n| CVE-2016-0475 | 5.8 | [IBM Java SDK for January 2016 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21975424>) | Not affected | 8.5, 8.0, 7.0, Liberty \n| CVE-2016-0466 | 5.0 | [IBM Java SDK for January 2016 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21975424>) | Not affected | 8.5, 8.0, 7.0, Liberty \n| CVE-2016-0389 | 5.3 | [Information Disclosure Vulnerability](<http://www-01.ibm.com/support/docview.wss?uid=swg21982012>) | Not affected | Liberty \n| CVE-2016-0385 | 3.1 | [Bypass security restrictions](<http://www-01.ibm.com/support/docview.wss?uid=swg21982588>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2016-0378 | 3.7 | [Information Disclosure Vulnerability](<http://www-01.ibm.com/support/docview.wss?uid=swg21981529>) | Not affected | Liberty \n| CVE-2016-0377 | 4.3 | [Information Disclosure vulnerability](<http://www-01.ibm.com/support/docview.wss?uid=swg21980645>) | Not affected | 8.5, 8.0, 7.0 \n| CVE-2016-0360 | 8.1 | [Deserialize objects with MQ Resource adapter](<http://www-01.ibm.com/support/docview.wss?uid=swg21996748>) 14.03.2017 | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2016-0359 | 6.1 | [HTTP Response Splitting](<http://www-01.ibm.com/support/docview.wss?uid=swg21982526>) | Not affected | 8.5, 8.0, 7.0, Liberty \n| CVE-2016-0306 | 3.7 | [Security vulnerability if FIPS 140-2 is enabled](<http://www-01.ibm.com/support/docview.wss?uid=swg21979231>) | Not affected | 8.5, 8.0,7.0, Liberty \n| CVE-2016-0283 | 6.1 | [Cross-site scripting vulnerability](<http://www-01.ibm.com/support/docview.wss?uid=swg21978293>) | Not affected | Liberty \n| CVE-2016-0201 | 5.9 | Not affected | [Vulnerability in GSKit component](<http://www-01.ibm.com/support/docview.wss?uid=swg21974507>) | 8.5, 8.0, 7.0 \n \n**2015 CVEs**\n\n**Name**\n\n| \n\n**CVE**\n\n| \n\n**CVSS Score**\n\n| \n\n**WebSphere Application Server Bulletin or Assessment**\n\n| \n\n**IBM HTTP Server Bulletin or Assessment**\n\n| \n\n**Versions Affected** \n \n---|---|---|---|---|--- \nSLOTH | CVE-2015-7575 | 7.1 | [IBM Java SDK for January 2016 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21975424>) | Not affected | 8.5, 8.0, 7.0, Liberty \n| CVE-2015-7450 | 9.8 | \n\n[Vulnerability in Apache Commons affects IBM WebSphere Application Server](<https://www-01.ibm.com/support/docview.wss?uid=swg21970575>) (21 Dec 2017)\n\n[Knowledge Center updates ](<https://www.ibm.com/support/pages/node/1107105>) (14 Nov 2019)\n\n| Not affected | \n\n8.5, 8.0, 7.0, Liberty\n\n9.0 \n \n| CVE-2015-7420 | 3.7 | Not affected | [Vulnerability in GSKit component](<http://www-01.ibm.com/support/docview.wss?uid=swg21974507>) | 8.5, 8.0, 7.0 \n| CVE-2015-7417 | 5.4 | [Cross-site scripting with OAuth](<http://www-01.ibm.com/support/docview.wss?uid=swg21974520>) | Not affected | 8.5, 8.0, 7.0, Liberty \n| CVE-2015-5262 | 5.3 | [Denial of Service](<https://www.ibm.com/support/pages/node/6453091>) | Not affected | 9.0, 8.5, 8.0 \n| CVE-2015-5006 | 4.6 | [IBM Java SDK for October 2015 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21969620>) | Not affected | 8.5, 8.0, 7.0, 6.1, Liberty \n| CVE-2015-4947 | 7.5 | Not affected | [Stack buffer overflow](<http://www-01.ibm.com/support/docview.wss?uid=swg21965419>) | 8.5, 8.0, 7.0, 6.1 \n| CVE-2015-4938 | 3.5 | [Spoof servlet vulnerabilities](<http://www-01.ibm.com/support/docview.wss?uid=swg21963275>) | | 8.5, 8.0, 7.0, Liberty \n| CVE-2015-4872 | 5.0 | [IBM Java SDK for October 2015 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21969620>) | Not affected | 8.5, 8.0, 7.0, 6.1, Liberty \n| CVE-2015-4749 | 4.3 | [IBM Java SDK for July 2015 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21962931>) | Not affected | 8.5, 8.0, 7.0, 6.1, Liberty \n| CVE-2015-4734 | 5.0 | [IBM Java SDK for October 2015 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21969620>) | Not affected | 8.5, 8.0, 7.0, 6.1, Liberty \nLog Jam | CVE-2015-4000 | 4.3 | [Logjam with Diffie-Hellman ciphers](<http://www-01.ibm.com/support/docview.wss?uid=swg21957980>) | Not affected | 8.5, 8.0, 7.0, 6.1, Liberty \n| CVE-2015-3183 | 6.1 | Not affected | [HTTP Request smuggling](<http://www-01.ibm.com/support/docview.wss?uid=swg21963361>) | 8.5, 8.0, 7.0, 6.1 \nBar Mitzvah | CVE-2015-2808 | 5.0 | [Vulnerability in RC4 stream cipher affects WebSphere Application Server](<https://www-01.ibm.com/support/docview.wss?uid=swg21701503>) | [Vulnerability in RC4 stream cipher affects IBM HTTP Server and Caching Proxy](<https://www-01.ibm.com/support/docview.wss?uid=swg21701072>) | 8.5, 8.0, 7.0, 6.1, Liberty \n| CVE-2015-2625 | 2.6 | [IBM Java SDK for July 2015 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21962931>) | Not affected | 8.5, 8.0, 7.0, 6.1, Liberty \n| CVE-2015-2613 | 5.0 | [IBM Java SDK for July 2015 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21962931>) | Not affected | 8.5, 8.0, 7.0, 6.1, Liberty \n| CVE-2015-2601 | 5.0 | [IBM Java SDK for July 2015 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21962931>) | Not affected | 8.5, 8.0, 7.0, 6.1, Liberty \n| CVE-2015-2017 | 5.0 | [HTTP response splitting attack](<http://www-01.ibm.com/support/docview.wss?uid=swg21966837>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2015-1946 | 4.1 | [Gain elevated privileges](<http://www-01.ibm.com/support/docview.wss?uid=swg21959083>) | Not affected | 8.5, 8.0, 7.0 \n| CVE-2015-1936 | 4 | [Hijack users session vulnerability](<http://www-01.ibm.com/support/docview.wss?uid=swg21959083>) | Not affected | 8.5, 8.0 \n| CVE-2015-1932 | 5 | [Information Disclosure vulnerability](<http://www-01.ibm.com/support/docview.wss?uid=swg21963275>) | Not affected | 8.5, 8.0, 7.0 \n| CVE-2015-1931 | 2.1 | [IBM Java SDK for July 2015 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21962931>) | Not affected | 8.5, 8.0, 7.0, 6.1, Liberty \n| CVE-2015-1927 | 6.8 | [Gain elevated privileges vulnerability](<http://www-01.ibm.com/support/docview.wss?uid=swg21959083>) | Not affected | 8.5, 8.0, 7.0, Liberty \n| CVE-2015-1920 | 9.3 | [Security vulnerability with management port in WebSphere Application Server](<http://www-01.ibm.com/support/docview.wss?uid=swg21883573>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2015-1916 | 5.0 | [IBM Java SDK for April 2015 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21902260>) | Not affected | 8.5, 8.0, 7.0, 6.1, Liberty \n| CVE-2015-1885 | 9.3 | [Gain elevated privileges with OAuth grant password](<http://www-01.ibm.com/support/docview.wss?uid=swg21697368>) | Not affected | 8.5, 8.0, 7.0, Liberty \n| CVE-2015-1882 | 8.5 | [Gain elevated privileges with EJB](<http://www-01.ibm.com/support/docview.wss?uid=swg21697368>) | Not affected | Liberty \n| CVE-2015-1829 | 5.0 | Not affected | [Denial of Service on Windows with IBM HTTP Server](<http://www-01.ibm.com/support/docview.wss?uid=swg21959081>) | 8.5, 8.0, 7.0, 6.1 \n| CVE-2015-1788 | 5.0 | Not affected | [Denial of Service in GSKIT with IBM HTTP Server](<http://www-01.ibm.com/support/docview.wss?uid=swg21963362>) | 8.5, 8.0 \n| CVE-2015-1283 | 6.8 | Not affected | [Denial of Service with IBM HTTP Server](<http://www-01.ibm.com/support/docview.wss?uid=swg21964428>) | 8.5, 8.0, 7.0, 6.1 \n| CVE-2015-0899 | 4.3 | [Bypass security](<http://www-01.ibm.com/support/docview.wss?uid=swg22015348>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2015-0488 | 5.0 | [IBM Java SDK for April 2015 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21902260>) | Not affected | 8.5, 8.0, 7.0, 6.1, Liberty \n| CVE-2015-0478 | 4.3 | [IBM Java SDK for April 2015 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21902260>) | Not affected | 8.5, 8.0, 7.0, 6.1, Liberty \n| CVE-2015-0410 | 5.0 | [IBM Java SDK for January 2015 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21695362>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2015-0400 | 5.0 | [IBM Java SDK for January 2015 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21695362>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2015-0254 | 7.5 | [Security vulnerability in Apache Standard Taglibs](<http://www-01.ibm.com/support/docview.wss?uid=swg21978495>) | Not affected | 8.5, 8.0, 7.0, 6.1, Liberty \n| CVE-2015-0250 | 4.3 | [Security vulnerability in Apache Batik](<http://www-01.ibm.com/support/docview.wss?uid=swg21959083>) | Not affected | 8.5, 8.0, 7.0, 6.1 \nGhost | CVE-2015-0235 | | Not affected | Not affected | \n| CVE-2015-0226 | 5.0 | [Security vulnerability in Apache WSS4J](<http://www-01.ibm.com/support/docview.wss?uid=swg21959083>) | Not affected | 8.5 \n| CVE-2015-0204 | 4.3 | [IBM Java SDK for April 2015 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21902260>) | Not affected | 8.5, 8.0, 7.0, 6.1, Liberty \n| CVE-2015-0174 | 3.5 | [Information disclosure with SNMP](<http://www-01.ibm.com/support/docview.wss?uid=swg21697368>) | Not affected | 8.5 \n| CVE-2015-0175 | 4.0 | [Gain elevated privileges with authData elements](<http://www-01.ibm.com/support/docview.wss?uid=swg21697368>) | Not affected | Liberty \nFREAK | CVE-2015-0138 | 4.3 | [Vulnerability with RSA export Keys affects WebSphere Application Server](<http://www-01.ibm.com/support/docview.wss?uid=swg21698613>) | [Vulnerability with RSA export keys affects IBM HTTP Server](<http://www-01.ibm.com/support/docview.wss?uid=swg21698959>) | 8.5, 8.0, 7.0, 6.1, Liberty \n \n**2014 CVEs**\n\n**Name**\n\n| \n\n**CVE**\n\n| \n\n**CVSS Score**\n\n| \n\n**WebSphere Application Server Bulletin or Assessment**\n\n| \n\n**IBM HTTP Server Bulletin or Assessment**\n\n| \n\n**Versions Affected** \n \n---|---|---|---|---|--- \n| CVE-2014-8917 | 4.3 | [Cross-site Scripting in Dojo Toolkit](<http://www-01.ibm.com/support/docview.wss?uid=swg21697284>) | Not affected | 8.5, 8.0 \n| CVE-2014-8890 | 5.1 | [Elevated Privileges in Liberty](<http://www-01.ibm.com/support/docview.wss?uid=swg21690185>) | Not affected | Liberty \nTLS Padding | CVE-2014-8730 | 4.3 | [Not affected bulletin](<http://www-01.ibm.com/support/docview.wss?uid=swg21692484>) | [TLS Padding in IBM HTTP Server](<http://www-01.ibm.com/support/docview.wss?uid=swg21692502>) | 8.5, 8.0, 7.0, 6.1 \n| CVE-2014-7810 | 5.0 | [Bypass security](<https://www-01.ibm.com/support/docview.wss?uid=ibm10729557>) | [Bypass security](<https://www-01.ibm.com/support/docview.wss?uid=ibm10729557>) | 9.0, 8.5, 8.0, 7.0, Liberty \nShell shock | CVE-2014-7189 \nCVE-2014-7186 \nCVE-2014-7169 \nCVE-2014-6278 \nCVE-2014-6277 \nCVE-2014-6271 | | [Bash Vulnerabilities](<http://www-01.ibm.com/support/docview.wss?uid=swg21685433>) \n \nNot affected but applications could be | [Bash Vulnerabilities](<http://www-01.ibm.com/support/docview.wss?uid=swg21685433>) \n \nNot affected but applications could be | Customer application might be vulnerable \n| CVE-2014-6593 | 4.0 | [IBM Java SDK for January 2015 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21695362>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2014-6558 | 2.6 | [IBM Java SDK for October 2014 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21687740>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2014-6512 | 4.3 | [IBM Java SDK for October 2014 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21687740>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2014-6457 | 4.0 | [IBM Java SDK for October 2014 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21687740>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2014-6174 | 4.3 | [Click jacking vulnerability](<http://www-01.ibm.com/support/docview.wss?uid=swg21690185>) | Not affected | 8.5, 8.0, 7.0 \n| CVE-2014-6167 | | [Cross-site scripting](<https://www-304.ibm.com/support/docview.wss?uid=swg21682767>) | Not affected | 8.5, 8.0, 7.0, Liberty \n| CVE-2014-6166 | 5.0 | [Obtain sensitive information](<http://www-01.ibm.com/support/docview.wss?uid=swg21690185>) | Not affected | 8.5, 8.0 \n| CVE-2014-6164 | 4.3 | [Spoofing vulnerability](<http://www-01.ibm.com/support/docview.wss?uid=swg21690185>) | Not affected | 8.5 \n| CVE-2014-4816 | 3.5 | Not affected | [Cross-site scripting vulnerability](<https://www-304.ibm.com/support/docview.wss?uid=swg21682767>) | 8.5, 8.0, 7.0, 6.1, 6.0 \n| CVE-2014-4770 | 3.5 | Not affected | [Cross-site request forgery](<https://www-304.ibm.com/support/docview.wss?uid=swg21682767>) | 8.5, 8.0, 7.0, 6.1, 6.0 \n| CVE-2014-4767 | 4.3 | [Weaker than expected security](<http://www-01.ibm.com/support/docview.wss?uid=swg21681249>) | Not affected | Liberty \n| CVE-2014-4764 | 7.1 | [Denial of service](<http://www-01.ibm.com/support/docview.wss?uid=swg21681249>) | Not affected | 8.5, 8.0 \n| CVE-2014-4263 | 4.0 | [IBM Java SDK for July 2014 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21680418>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2014-4244 | 4.0 | [IBM Java SDK for July 2014 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21680418>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2014-3603 | 6.5 | [Spoofing](<https://www.ibm.com/support/pages/node/964764>) | Not affected | Liberty \n| CVE-2014-3577 | 4.3 | [Spoofing Vulnerability](<https://www.ibm.com/support/pages/node/6453091>) | Not affected | 9.0, 8.5, 8.0 \nPOODLE | CVE-2014-3566 | 4.3 | [IBM Java SDK for October 2014 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21687740>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2014-3083 | 5.0 | [Obtain sensitive information](<http://www-01.ibm.com/support/docview.wss?uid=swg21681249>) | Not affected | 8.5, 8.0, 7.0, Liberty \n| CVE-2014-3070 | 5.0 | [Obtain sensitive information](<http://www-01.ibm.com/support/docview.wss?uid=swg21676222>) | Not affected | 8.5, 8.0 \n| CVE-2014-3068 | 2.4 | [IBM Java SDK for July 2014 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21680418>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2014-3022 | 5.0 | [Bypass security](<https://www-304.ibm.com/support/docview.wss?uid=swg21676222>) | Not affected | 8.5, 8.0 \n| CVE-2014-3021 | 5.0 | [Obtain sensitive information](<http://www-01.ibm.com/support/docview.wss?uid=swg21690185>) | Not affected | 8.5, 8.0, 7.0 \n| CVE-2014-0965 | 4.3 | [Obtain sensitive information](<http://www-01.ibm.com/support/docview.wss?uid=swg21681249>) | Not affected | 8.5, 8.0, 7.0 \n| CVE-2014-0964 | 7.1 | [Denial of service](<http://www-01.ibm.com/support/docview.wss?uid=swg21671835>) | Not affected | 6.1 \n| CVE-2014-0963 | 7.1 | Not affected | [CPU exhaustion](<https://www-304.ibm.com/support/docview.wss?uid=swg21672843>) | 8.5, 8.0, 7.0, 6.1, 6.0 \n| CVE-2014-0896 | 4.3 | [Obtain sensitive information](<http://www-01.ibm.com/support/docview.wss?uid=swg21669554>) | Not affected | Liberty \n| CVE-2014-0891 | 5.0 | [Obtain sensitive information](<http://www-01.ibm.com/support/docview.wss?uid=swg21669554>) | Not affected | 8.5, 8.0, 7.0 \n| CVE-2014-0878 | 5.8 | [IBM Java SDK for April 2014 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21673013>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2014-0859 | 5.0 | [Denial of service](<http://www-01.ibm.com/support/docview.wss?uid=swg21669554>) | Not affected | 8.5, 8.0, 7.0, Liberty \n| CVE-2014-0857 | 4.0 | [Obtain Information](<http://www-01.ibm.com/support/docview.wss?uid=swg21671835>) | Not affected | 8.5, 8.0 \n| CVE-2014-0823 | 4.3 | [View Files](<http://www-01.ibm.com/support/docview.wss?uid=swg21671835>) | Not affected | 8.5, 8.0, Liberty \n| CVE-2014-0460 | 5.8 | [IBM Java SDK for April 2014 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21673013>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2014-0453 | 4.0 | [IBM Java SDK for April 2014 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21673013>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2014-0411 | 4.0 | [IBM Java SDK for January 2014 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21663938>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2014-0231 | 5.0 | Not affected | [Denial of Service](<https://www-304.ibm.com/support/docview.wss?uid=swg21672428>) | 8.5, 8.0, 7.0, 6.1, 6.0 \n| CVE-2014-0226 | 7.5 | Not affected | [Heap buffer overflow](<https://www-304.ibm.com/support/docview.wss?uid=swg21672428>) | 8.5, 8.0, 7.0, 6.1, 6.0 \nHeartbleed | CVE-2014-0160 | | [Not affected Bulletin](<http://www-01.ibm.com/support/docview.wss?uid=swg21669774>) | [Not affected Bulletin](<http://www-01.ibm.com/support/docview.wss?uid=swg21669774>) | \n| CVE-2014-0118 | 5.0 | Not affected | [Denial of Service](<https://www-304.ibm.com/support/docview.wss?uid=swg21672428>) | 8.5, 8.0, 7.0, 6.1, 6.0 \n| CVE-2014-0114 \nCVE-2014-0114 | 7.5 \n7.5 | [Execute code](<http://www-01.ibm.com/support/docview.wss?uid=swg21672316>) \n[Execute code UDDI](<http://www-01.ibm.com/support/docview.wss?uid=swg22016214>) (21 June 2018) | Not affected | 7.0, 6.1 \n9.0, 8.5, 8.0, 7.0 \n| CVE-2014-0098 | 5.0 | Not affected | [Denial of service](<https://www-304.ibm.com/support/docview.wss?uid=swg21667526>) | 8.5, 8.0, 7.0, 6.1 \n| CVE-2014-0076 | 2.1 | Not affected | [Information Disclosure](<http://www-01.ibm.com/support/docview.wss?uid=swg21681249>) | 8.5, 8.0 \n| CVE-2014-0050 | 5.0 | [Denial of service](<http://www-01.ibm.com/support/docview.wss?uid=swg21667254>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n \n**2013 CVEs**\n\n**Name**\n\n| \n\n**CVE**\n\n| \n\n**CVSS Score**\n\n| \n\n**WebSphere Application Server Bulletin or Assessment**\n\n| \n\n**IBM HTTP Server Bulletin or Assessment**\n\n| \n\n**Versions Affected** \n \n---|---|---|---|---|--- \n| CVE-2013-6747 | 7.1 | Not affected | [Denial of Service](<http://www-01.ibm.com/support/docview.wss?uid=swg21669554>) | 8.5, 8.0, 7.0 \n| CVE-2013-6738 | 4.3 | [Cross-site scripting](<http://www-01.ibm.com/support/docview.wss?uid=swg21669554>) | Not affected | 8.5, 8.0, 7.0, Liberty \n| CVE-2013-6725 | 3.5 | [Cross-site scripting](<http://www-01.ibm.com/support/docview.wss?uid=swg21661323>) | Not affected | 8.5, 8.0, 7.0 \n| CVE-2013-6440 | 4.3 | [XML External Entity](<http://www-01.ibm.com/support/docview.wss?uid=swg22010415>) | Not affected | Liberty \n| CVE-2013-6438 | 4.3 | Not affected | [Buffer overflow](<http://www-01.ibm.com/support/docview.wss?uid=swg21669554>) | 8.5, 8.0, 7.0 \n| CVE-2013-6330 | 2.1 | [Obtain sensitive information](<http://www-01.ibm.com/support/docview.wss?uid=swg21661323>) | Not affected | 7.0 \n| CVE-2013-6329 | 7.8 | Not affected | [Denial of Service](<http://www-01.ibm.com/support/docview.wss?uid=swg21659548>) | 8.5, 8.0, 7.0, 6.1 \n| CVE-2013-6325 | 4.3 | [Denial of Service](<http://www-01.ibm.com/support/docview.wss?uid=swg21661323>) | Not affected | 8.5, 8.0, 7.0 \n| CVE-2013-6323 | 3.5 | [Cross-site scripting](<http://www-01.ibm.com/support/docview.wss?uid=swg21669554>) | Not affected | 8.5, 8.0, 7.0 \n| CVE-2013-5802 | 2.6 | [IBM Java SDK for Oct 2013 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21655990>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2013-5780 | 4.3 | [IBM Java SDK for Oct 2013 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21655990>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2013-5704 | 5 | Not affected | [Bypass security](<http://www-01.ibm.com/support/docview.wss?uid=swg21672428>) | 8.5, 8.0, 7.0, 6.1 \n| CVE-2013-5425 | 3.5 | [Cross-site scripting](<http://www-01.ibm.com/support/docview.wss?uid=swg21651880>) | Not affected | 8.5 \n| CVE-2013-5418 | 3.5 | [Cross-site scripting](<http://www-01.ibm.com/support/docview.wss?uid=swg21651880>) | Not affected | 8.5, 8.0, 7.0 \n| CVE-2013-5417 | 4.3 | [Cross-site scripting](<http://www-01.ibm.com/support/docview.wss?uid=swg21651880>) | Not affected | 8.5, 8.0, 7.0 Liberty \n| CVE-2013-5414 | 3.5 | [Privilege escalation](<http://www-01.ibm.com/support/docview.wss?uid=swg21651880>) | Not affected | 8.5, 8.0, 7.0 \n| CVE-2013-5372 | 4.3 | [IBM Java SDK for Oct 2013 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21655990>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2013-4053 | 6.8 | [Privilege escalation](<http://www-01.ibm.com/support/docview.wss?uid=swg21647522>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2013-4052 | 4.3 | [Cross-site scripting](<http://www-01.ibm.com/support/docview.wss?uid=swg21647522>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2013-4039 | 4 | [Obtain sensitive information](<http://www-01.ibm.com/support/docview.wss?uid=swg21647485>) | Not affected | 8.5 \n| CVE-2013-4006 | 3.5 | [Obtain sensitive information](<http://www-01.ibm.com/support/docview.wss?uid=swg21651880>) | Not affected | Liberty \n| CVE-2013-4005 | 3.5 | [Cross-site scripting](<http://www-01.ibm.com/support/docview.wss?uid=swg21644047>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2013-4004 | 3.5 | [Cross-site scripting](<http://www-01.ibm.com/support/docview.wss?uid=swg21644047>) | Not affected | 8.5, 8.0 \n| CVE-2013-3029 | 4.3 | [Cross-site scripting](<http://www-01.ibm.com/support/docview.wss?uid=swg21640799>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2013-3024 | 6.9 | [Execute code](<http://www-01.ibm.com/support/docview.wss?uid=swg21639553>) | Not affected | 8.5 \n| CVE-2013-2976 | 1.9 | [Obtain sensitive information](<http://www-01.ibm.com/support/docview.wss?uid=swg21639553>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2013-2967 | 4.3 | [Cross-site scripting](<http://www-01.ibm.com/support/docview.wss?uid=swg21639553>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2013-1896 | 4.3 | Not affected | [Denial of Service](<http://www-01.ibm.com/support/docview.wss?uid=swg21643362>) | 8.5, 8.0, 7.0, 6.1 \n| CVE-2013-1862 | 5.1 | Not affected | [Command execution](<http://www-01.ibm.com/support/docview.wss?uid=swg21635991>) | 8.5, 8.0, 7.0, 6.1 \n| CVE-2013-1768 | 10 | [Deserialization](<http://www-01.ibm.com/support/docview.wss?uid=swg21635999>) | Not affected | 8.5, 8.0, 7.0, 6.1, Liberty \n| CVE-2013-1571 | 4.3 | [Clickjacking](<http://www-01.ibm.com/support/docview.wss?uid=swg21641387>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2013-0599 | 5 | [Obtain sensitive information](<http://www-01.ibm.com/support/docview.wss?uid=swg21651880>) | Not affected | 8.5 \n| CVE-2013-0597 | 3.5 | [Cross-site scripting](<http://www-01.ibm.com/support/docview.wss?uid=swg21635998>) | Not affected | 8.5, 8.0, 7.0, Liberty \n| CVE-2013-0596 | 4.3 | [Cross-site scripting](<http://www-01.ibm.com/support/docview.wss?uid=swg21647522>) | Not affected | 6.1 \n| CVE-2013-0565 | 4.3 | [Cross-site scripting](<http://www-01.ibm.com/support/docview.wss?uid=swg21632423>) | Not affected | 8.5 \n| CVE-2013-0544 | 3.5 | [File directory traversal](<http://www-01.ibm.com/support/docview.wss?uid=swg21632423>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2013-0543 | 6.8 | [Bypass security](<http://www-01.ibm.com/support/docview.wss?uid=swg21632423>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2013-0542 | 4.3 | [Cross-site scripting](<http://www-01.ibm.com/support/docview.wss?uid=swg21632423>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2013-0541 | 1.9 | [Buffer overflow](<http://www-01.ibm.com/support/docview.wss?uid=swg21632423>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2013-0540 | 4.9 | [Bypass security](<http://www-01.ibm.com/support/docview.wss?uid=swg21632423>) | Not affected | Liberty \n| CVE-2013-0482 | 2.6 | [Spoofing](<http://www-01.ibm.com/support/docview.wss?uid=swg21634646>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2013-0467 | 4 | [Obtain sensitive information](<http://www-01.ibm.com/support/docview.wss?uid=swg21651880>) | Not affected | 8.5 \n| CVE-2013-0464 | 4.3 | [Execute code](<http://www-01.ibm.com/support/docview.wss?uid=swg21651880>) | Not affected | 8.5, 8.0, \n| CVE-2013-0462 | 6.5 | [Bypass security](<http://www-01.ibm.com/support/docview.wss?uid=swg21632423>) | Not affected | 8.5, 8.0, 7.0, 6.1, Liberty \n| CVE-2013-0461 | 1.2 | [Cross-site scripting](<http://www-01.ibm.com/support/docview.wss?uid=swg21622444>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2013-0460 | 4.3 | [Cross-site scripting](<http://www-01.ibm.com/support/docview.wss?uid=swg21622444>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2013-0459 | 4.3 | [Cross-site scripting](<http://www-01.ibm.com/support/docview.wss?uid=swg21622444>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2013-0458 | 4.3 | [Cross-site scripting](<http://www-01.ibm.com/support/docview.wss?uid=swg21622444>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2013-0443 | 4 | [IBM Java SDK for Feb 2013 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21627634>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2013-0440 | 5 | [IBM Java SDK for Feb 2013 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21627634>) | Not affected | 8.5, 8.0, 7.0, 6.1 \nLucky Thirteen | CVE-2013-0169 | 4.3 | [IBM Java SDK for Feb 2013 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21627634>) | [Side Channel Attack](<http://www-01.ibm.com/support/docview.wss?uid=swg21635988>) | 8.5, 8.0, 7.0, 6.1 \n \n**2012 CVEs**\n\n**Name**\n\n| \n\n**CVE**\n\n| \n\n**CVSS Score**\n\n| \n\n**WebSphere Application Server Bulletin or Assessment**\n\n| \n\n**IBM HTTP Server Bulletin or Assessment**\n\n| \n\n**Versions Affected** \n \n---|---|---|---|---|--- \n| CVE-2012-6153 | 4.3 | [Spoofing Vulnerability](<https://www.ibm.com/support/pages/node/6453091>) | Not affected | 9.0, 8.5, 8.0 \n| CVE-2012-5783 | 4.3 | [Spoofing attacks](<http://www-01.ibm.com/support/docview.wss?uid=swg22016216>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2012-4853 | 4.3 | [Cross-site request Forgery](<http://www-01.ibm.com/support/docview.wss?uid=swg21614265>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2012-4851 | 4.3 | [Cross-site scripting](<http://www-01.ibm.com/support/docview.wss?uid=swg21614265>) | Not affected | Liberty \n| CVE-2012-4850 | 7.5 | [Privilege escalation](<http://www-01.ibm.com/support/docview.wss?uid=swg21614265>) | Not affected | Liberty \n| CVE-2012-3330 | 5 | [Denial of Servic](<http://www-01.ibm.com/support/docview.wss?uid=swg21614265>)e | Not affected | 8.5, 8.0, 7.0 \n| CVE-2012-3325 | 6 | [Bypass security](<http://www-01.ibm.com/support/docview.wss?uid=swg21609067>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2012-3311 | 3 | [Bypass security](<http://www-01.ibm.com/support/docview.wss?uid=swg21611313>) | Not affected | 8.5, 8.0, 7.0 \n| CVE-2012-3306 | 4.3 | [Weaker security](<http://www-01.ibm.com/support/docview.wss?uid=swg21611313>) | Not affected | 8.5, 8.0, 7.0 \n| CVE-2012-3305 | 5.8 | [File directory traversal](<http://www-01.ibm.com/support/docview.wss?uid=swg21611313>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2012-3304 | 6.8 | [Hijack session](<http://www-01.ibm.com/support/docview.wss?uid=swg21611313>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2012-3293 | 4.3 | [Cross-site scripting](<http://www-01.ibm.com/support/docview.wss?uid=swg21611313>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2012-2191 | 5 | Not affected | [Denial of Service](<http://www-01.ibm.com/support/docview.wss?uid=swg21606096>) | 8.5, 8.0, 7.0, 6.1 \n| CVE-2012-2190 | 5 | Not affected | [Denial of Service](<http://www-01.ibm.com/support/docview.wss?uid=swg21606096>) | 8.5, 8.0, 7.0, 6.1 \n| CVE-2012-2170 | 4.3 | [Obtain sensitive information](<http://www-01.ibm.com/support/docview.wss?uid=swg21595172>) | Not affected | 8.0, 7.0, 6.1 \n| CVE-2012-2159 | 4.3 | [Cross-site scripting](<http://www-01.ibm.com/support/docview.wss?uid=swg21606096>) | Not affected | 8.5, 8.0 \n| CVE-2012-2098 | 5 | [Denial of Service](<http://www-01.ibm.com/support/docview.wss?uid=swg21644047>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2012-1148 | 5 | Not affected | [Denial of Service](<http://www-01.ibm.com/support/docview.wss?uid=swg21988026>) | 9.0, 8.5, 8.0, 7.0 \n| CVE-2012-1007 | 4.3 | [Cross-site scripting](<http://www-01.ibm.com/support/docview.wss?uid=swg22016214>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2012-0876 | 5 | Not affected | [Denial of Service](<http://www-01.ibm.com/support/docview.wss?uid=swg21988026>) | 9.0, 8.5, 8.0, 7.0 \n| CVE-2012-0720 | 4.3 | [Cross-site scripting](<http://www-01.ibm.com/support/docview.wss?uid=swg21587015>) | Not affected | 8.0, 7.0, 6.1 \n| CVE-2012-0717 | 2.6 | [Bypass security](<http://www-01.ibm.com/support/docview.wss?uid=swg21587015>) | Not affected | 7.0, 6.1 \n| CVE-2012-0716 | 4.3 | [Cross-site scripting](<http://www-01.ibm.com/support/docview.wss?uid=swg21587015>) | Not affected | 8.0, 7.0, 6.1 \n| CVE-2012-0193 | 5 | [Denial of Service](<http://www-01.ibm.com/support/docview.wss?uid=swg21587015>) | Not affected | 8.0, 7.0, 6.1 \n \n**2011 CVEs**\n\n**Name**\n\n| \n\n**CVE**\n\n| \n\n**CVSS Score**\n\n| \n\n**WebSphere Application Server Bulletin or Assessment**\n\n| \n\n**IBM HTTP Server Bulletin or Assessment**\n\n| \n\n**Versions Affected** \n \n---|---|---|---|---|--- \n| CVE-2011-4889 | 5 | [Weaker security](<http://www-01.ibm.com/support/docview.wss?uid=swg21587015>) | Not affected | 8.0, 7.0, 6.1 \n| CVE-2011-4343 | 5 | [Obtain sensitive information](<http://www-01.ibm.com/support/docview.wss?uid=swg22008707>) | Not affected | 8.5, 8.0, Liberty \n| CVE-2011-1498 | 5 | [Information Disclosure](<https://www.ibm.com/support/pages/node/6453091>) | Not affected | 9.0, 8.5, 8.0 \n| CVE-2011-1377 | 2.1 | [Weaker security](<http://www-01.ibm.com/support/docview.wss?uid=swg21589257>) | Not affected | 8.0, 7.0, 6.1 \n| CVE-2011-1376 | 4.4 | [Insecure permissions](<http://www-01.ibm.com/support/docview.wss?uid=swg21587015>) | Not affected | 8.0, 7.0, 6.1 \n \n**Important note: **IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the [System z Security web site](<https://www.ibm.com/it-infrastructure/z/capabilities/system-integrity>). Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.\n\n[{\"Product\":{\"code\":\"SSEQTP\",\"label\":\"WebSphere Application Server\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\"Security\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF010\",\"label\":\"HP-UX\"},{\"code\":\"PF012\",\"label\":\"IBM i\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF033\",\"label\":\"Windows\"},{\"code\":\"PF035\",\"label\":\"z\\/OS\"}],\"Version\":\"9.0.0.0;8.5.5;8.5;8.0;7.0;6.1\",\"Edition\":\"Advanced;Base;Developer;Express;Liberty;Network Deployment\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}},{\"Product\":{\"code\":\"SSEQTJ\",\"label\":\"IBM HTTP Server\"},\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud \\u0026 Data Platform\"},\"Component\":\" \",\"Platform\":[{\"code\":\"\",\"label\":\"\"}],\"Version\":\"\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"\",\"label\":\"\"}},{\"Product\":{\"code\":\"SSCKBL\",\"label\":\"WebSphere Application Server Hypervisor Edition\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\" \",\"Platform\":[{\"code\":\"\",\"label\":\"\"}],\"Version\":\"\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}},{\"Product\":{\"code\":\"SSD28V\",\"label\":\"WebSphere Application Server Liberty Core\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\" \",\"Platform\":[{\"code\":\"\",\"label\":\"\"}],\"Version\":\"\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-07-13T18:04:48", "type": "ibm", "title": "WebSphere Application Server and IBM HTTP Server Security Bulletin List", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-1376", "CVE-2011-1377", "CVE-2011-1498", "CVE-2011-4343", "CVE-2011-4889", "CVE-2012-0193", "CVE-2012-0716", "CVE-2012-0717", "CVE-2012-0720", "CVE-2012-0876", "CVE-2012-1007", "CVE-2012-1148", "CVE-2012-2098", "CVE-2012-2159", "CVE-2012-2170", "CVE-2012-2190", "CVE-2012-2191", "CVE-2012-3293", "CVE-2012-3304", "CVE-2012-3305", "CVE-2012-3306", "CVE-2012-3311", "CVE-2012-3325", "CVE-2012-3330", "CVE-2012-4850", "CVE-2012-4851", "CVE-2012-4853", "CVE-2012-5783", "CVE-2012-6153", "CVE-2013-0169", "CVE-2013-0440", "CVE-2013-0443", "CVE-2013-0458", "CVE-2013-0459", "CVE-2013-0460", "CVE-2013-0461", "CVE-2013-0462", "CVE-2013-0464", "CVE-2013-0467", "CVE-2013-0482", "CVE-2013-0540", "CVE-2013-0541", "CVE-2013-0542", "CVE-2013-0543", "CVE-2013-0544", "CVE-2013-0565", "CVE-2013-0596", "CVE-2013-0597", "CVE-2013-0599", "CVE-2013-1571", "CVE-2013-1768", "CVE-2013-1862", "CVE-2013-1896", "CVE-2013-2967", "CVE-2013-2976", "CVE-2013-3024", "CVE-2013-3029", "CVE-2013-4004", "CVE-2013-4005", "CVE-2013-4006", "CVE-2013-4039", "CVE-2013-4052", "CVE-2013-4053", "CVE-2013-5372", "CVE-2013-5414", "CVE-2013-5417", "CVE-2013-5418", "CVE-2013-5425", "CVE-2013-5704", "CVE-2013-5780", "CVE-2013-5802", "CVE-2013-6323", "CVE-2013-6325", "CVE-2013-6329", "CVE-2013-6330", "CVE-2013-6438", "CVE-2013-6440", "CVE-2013-6725", "CVE-2013-6738", "CVE-2013-6747", "CVE-2014-0050", "CVE-2014-0076", "CVE-2014-0098", "CVE-2014-0114", "CVE-2014-0118", "CVE-2014-0160", "CVE-2014-0226", "CVE-2014-0231", "CVE-2014-0411", "CVE-2014-0453", "CVE-2014-0460", "CVE-2014-0823", "CVE-2014-0857", "CVE-2014-0859", "CVE-2014-0878", "CVE-2014-0891", "CVE-2014-0896", "CVE-2014-0963", "CVE-2014-0964", "CVE-2014-0965", "CVE-2014-3021", "CVE-2014-3022", "CVE-2014-3068", "CVE-2014-3070", "CVE-2014-3083", "CVE-2014-3566", "CVE-2014-3577", "CVE-2014-3603", "CVE-2014-4244", "CVE-2014-4263", "CVE-2014-4764", "CVE-2014-4767", "CVE-2014-4770", "CVE-2014-4816", "CVE-2014-6164", "CVE-2014-6166", "CVE-2014-6167", "CVE-2014-6174", "CVE-2014-6271", "CVE-2014-6277", "CVE-2014-6278", "CVE-2014-6457", "CVE-2014-6512", "CVE-2014-6558", "CVE-2014-6593", "CVE-2014-7169", "CVE-2014-7186", "CVE-2014-7189", "CVE-2014-7810", "CVE-2014-8730", "CVE-2014-8890", "CVE-2014-8917", "CVE-2015-0138", "CVE-2015-0174", "CVE-2015-0175", "CVE-2015-0204", "CVE-2015-0226", "CVE-2015-0235", "CVE-2015-0250", "CVE-2015-0254", "CVE-2015-0400", "CVE-2015-0410", "CVE-2015-0478", "CVE-2015-0488", "CVE-2015-0899", "CVE-2015-1283", "CVE-2015-1788", "CVE-2015-1829", "CVE-2015-1882", "CVE-2015-1885", "CVE-2015-1916", "CVE-2015-1920", "CVE-2015-1927", "CVE-2015-1931", "CVE-2015-1932", "CVE-2015-1936", "CVE-2015-1946", "CVE-2015-2017", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625", "CVE-2015-2808", "CVE-2015-3183", "CVE-2015-4000", "CVE-2015-4734", "CVE-2015-4749", "CVE-2015-4872", "CVE-2015-4938", "CVE-2015-4947", "CVE-2015-5006", "CVE-2015-5262", "CVE-2015-7417", "CVE-2015-7420", "CVE-2015-7450", "CVE-2015-7575", "CVE-2016-0201", "CVE-2016-0283", "CVE-2016-0306", "CVE-2016-0359", "CVE-2016-0360", "CVE-2016-0377", "CVE-2016-0378", "CVE-2016-0385", "CVE-2016-0389", "CVE-2016-0466", "CVE-2016-0475", "CVE-2016-0488", "CVE-2016-0702", "CVE-2016-0718", "CVE-2016-0800", "CVE-2016-1000031", "CVE-2016-1181", "CVE-2016-1182", "CVE-2016-2183", "CVE-2016-2923", "CVE-2016-2945", "CVE-2016-2960", "CVE-2016-3040", "CVE-2016-3042", "CVE-2016-3092", "CVE-2016-3426", "CVE-2016-3427", "CVE-2016-3485", "CVE-2016-4472", "CVE-2016-4975", "CVE-2016-5387", "CVE-2016-5546", "CVE-2016-5547", "CVE-2016-5548", "CVE-2016-5549", "CVE-2016-5573", "CVE-2016-5597", "CVE-2016-5983", "CVE-2016-5986", "CVE-2016-7056", "CVE-2016-8743", "CVE-2016-8919", "CVE-2016-8934", "CVE-2016-9736", "CVE-2017-10102", "CVE-2017-10115", "CVE-2017-10116", "CVE-2017-10356", "CVE-2017-10388", "CVE-2017-1121", "CVE-2017-1137", "CVE-2017-1151", "CVE-2017-1194", "CVE-2017-12613", "CVE-2017-12618", "CVE-2017-12624", "CVE-2017-1380", "CVE-2017-1381", "CVE-2017-1382", "CVE-2017-1501", "CVE-2017-1503", "CVE-2017-1504", "CVE-2017-15710", "CVE-2017-15715", "CVE-2017-1583", "CVE-2017-1681", "CVE-2017-1731", "CVE-2017-1741", "CVE-2017-1743", "CVE-2017-1788", "CVE-2017-3167", "CVE-2017-3511", "CVE-2017-3732", "CVE-2017-3736", "CVE-2017-5638", "CVE-2017-7668", "CVE-2017-7679", "CVE-2017-9798", "CVE-2018-10237", "CVE-2018-12539", "CVE-2018-12547", "CVE-2018-1301", "CVE-2018-1388", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1447", "CVE-2018-1553", "CVE-2018-1567", "CVE-2018-1614", "CVE-2018-1621", "CVE-2018-1626", "CVE-2018-1643", "CVE-2018-1656", "CVE-2018-1683", "CVE-2018-1695", "CVE-2018-1719", "CVE-2018-17199", "CVE-2018-1755", "CVE-2018-1767", "CVE-2018-1770", "CVE-2018-1777", "CVE-2018-1793", "CVE-2018-1794", "CVE-2018-1797", "CVE-2018-1798", "CVE-2018-1840", "CVE-2018-1851", "CVE-2018-1890", "CVE-2018-1901", "CVE-2018-1902", "CVE-2018-1904", "CVE-2018-1905", "CVE-2018-1926", "CVE-2018-1957", "CVE-2018-1996", "CVE-2018-20843", "CVE-2018-25031", "CVE-2018-2579", "CVE-2018-2602", "CVE-2018-2603", "CVE-2018-2633", "CVE-2018-2634", "CVE-2018-2637", "CVE-2018-2783", "CVE-2018-2800", "CVE-2018-3139", "CVE-2018-3180", "CVE-2018-8039", "CVE-2019-0211", "CVE-2019-0220", "CVE-2019-10086", "CVE-2019-10092", "CVE-2019-10098", "CVE-2019-11777", "CVE-2019-12402", "CVE-2019-12406", "CVE-2019-17495", "CVE-2019-17566", "CVE-2019-17573", "CVE-2019-2426", "CVE-2019-2949", "CVE-2019-2989", "CVE-2019-4030", "CVE-2019-4046", "CVE-2019-4080", "CVE-2019-4268", "CVE-2019-4269", "CVE-2019-4270", "CVE-2019-4271", "CVE-2019-4279", "CVE-2019-4285", "CVE-2019-4304", "CVE-2019-4305", "CVE-2019-4441", "CVE-2019-4442", "CVE-2019-4477", "CVE-2019-4505", "CVE-2019-4663", "CVE-2019-4670", "CVE-2019-4720", "CVE-2019-4732", "CVE-2019-9512", "CVE-2019-9513", "CVE-2019-9514", "CVE-2019-9515", "CVE-2019-9517", "CVE-2019-9518", "CVE-2020-10693", "CVE-2020-11985", "CVE-2020-13938", "CVE-2020-14577", "CVE-2020-14578", "CVE-2020-14579", "CVE-2020-14581", "CVE-2020-14621", "CVE-2020-14781", "CVE-2020-14782", "CVE-2020-14797", "CVE-2020-1927", "CVE-2020-1934", "CVE-2020-2590", "CVE-2020-2593", "CVE-2020-2601", "CVE-2020-2654", "CVE-2020-27221", "CVE-2020-2754", "CVE-2020-2755", "CVE-2020-2773", "CVE-2020-2781", "CVE-2020-2800", "CVE-2020-4163", "CVE-2020-4276", "CVE-2020-4303", "CVE-2020-4304", "CVE-2020-4329", "CVE-2020-4362", "CVE-2020-4365", "CVE-2020-4421", "CVE-2020-4448", "CVE-2020-4449", "CVE-2020-4450", "CVE-2020-4464", "CVE-2020-4534", "CVE-2020-4575", "CVE-2020-4576", "CVE-2020-4578", "CVE-2020-4589", "CVE-2020-4590", "CVE-2020-4629", "CVE-2020-4643", "CVE-2020-4782", "CVE-2020-4949", "CVE-2020-5016", "CVE-2020-5258", "CVE-2021-20353", "CVE-2021-20354", "CVE-2021-20453", "CVE-2021-20454", "CVE-2021-20480", "CVE-2021-20492", "CVE-2021-20517", "CVE-2021-2161", "CVE-2021-23450", "CVE-2021-2369", "CVE-2021-26296", "CVE-2021-26690", "CVE-2021-26691", "CVE-2021-29736", "CVE-2021-29754", "CVE-2021-29842", "CVE-2021-30641", "CVE-2021-34798", "CVE-2021-35517", "CVE-2021-35550", "CVE-2021-35564", "CVE-2021-35578", "CVE-2021-35603", "CVE-2021-36090", "CVE-2021-38951", "CVE-2021-39031", "CVE-2021-39038", "CVE-2021-39275", "CVE-2021-40438", "CVE-2021-4104", "CVE-2021-44224", "CVE-2021-44228", "CVE-2021-44790", "CVE-2021-44832", "CVE-2021-45046", "CVE-2021-45105", "CVE-2021-45960", "CVE-2021-46143", "CVE-2021-46708", "CVE-2022-21229", "CVE-2022-21299", "CVE-2022-21340", "CVE-2022-21496", "CVE-2022-22310", "CVE-2022-22365", "CVE-2022-22393", "CVE-2022-22473", "CVE-2022-22475", "CVE-2022-22476", "CVE-2022-22477", "CVE-2022-22719", "CVE-2022-22720", "CVE-2022-22721", "CVE-2022-22822", "CVE-2022-22823", "CVE-2022-22824", "CVE-2022-22825", "CVE-2022-22826", "CVE-2022-22827", "CVE-2022-23302", "CVE-2022-23305", "CVE-2022-23307", "CVE-2022-23852", "CVE-2022-23990", "CVE-2022-25235", "CVE-2022-25236", "CVE-2022-25313", "CVE-2022-25315", "CVE-2022-26377", "CVE-2022-28614", "CVE-2022-28615", "CVE-2022-29404", "CVE-2022-30556", "CVE-2022-31813"], "modified": "2022-07-13T18:04:48", "id": "7E0744D5936EDC5F018B0850D801B665D388060D6A81B986BC7AD81C9A78C0EE", "href": "https://www.ibm.com/support/pages/node/710969", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "debiancve": [{"lastseen": "2022-12-17T15:13:01", "description": "Apache Batik is vulnerable to server-side request forgery, caused by improper input validation by the \"xlink:href\" attributes. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-11-12T18:15:00", "type": "debiancve", "title": "CVE-2019-17566", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17566"], "modified": "2020-11-12T18:15:00", "id": "DEBIANCVE:CVE-2019-17566", "href": "https://security-tracker.debian.org/tracker/CVE-2019-17566", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "nessus": [{"lastseen": "2023-01-11T15:17:11", "description": "This update for xmlgraphics-batik fixes the following issues :\n\n - CVE-2019-17566: Fixed a SSRF which might have allowed the underlying server to make arbitrary GET requests (bsc#1172961).\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update project.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-07-20T00:00:00", "type": "nessus", "title": "openSUSE Security Update : xmlgraphics-batik (openSUSE-2020-851)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17566"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:xmlgraphics-batik", "p-cpe:/a:novell:opensuse:xmlgraphics-batik-demo", "p-cpe:/a:novell:opensuse:xmlgraphics-batik-rasterizer", "p-cpe:/a:novell:opensuse:xmlgraphics-batik-slideshow", "p-cpe:/a:novell:opensuse:xmlgraphics-batik-squiggle", "p-cpe:/a:novell:opensuse:xmlgraphics-batik-svgpp", "p-cpe:/a:novell:opensuse:xmlgraphics-batik-ttf2svg", "cpe:/o:novell:opensuse:15.1"], "id": "OPENSUSE-2020-851.NASL", "href": "https://www.tenable.com/plugins/nessus/138698", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2020-851.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(138698);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2019-17566\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0004\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n\n script_name(english:\"openSUSE Security Update : xmlgraphics-batik (openSUSE-2020-851)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote openSUSE host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"This update for xmlgraphics-batik fixes the following issues :\n\n - CVE-2019-17566: Fixed a SSRF which might have allowed\n the underlying server to make arbitrary GET requests\n (bsc#1172961).\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update\nproject.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1172961\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected xmlgraphics-batik packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/11/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/06/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/07/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:xmlgraphics-batik\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:xmlgraphics-batik-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:xmlgraphics-batik-rasterizer\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:xmlgraphics-batik-slideshow\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:xmlgraphics-batik-squiggle\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:xmlgraphics-batik-svgpp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:xmlgraphics-batik-ttf2svg\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.1\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.1\", reference:\"xmlgraphics-batik-1.9-lp151.6.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"xmlgraphics-batik-demo-1.9-lp151.6.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"xmlgraphics-batik-rasterizer-1.9-lp151.6.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"xmlgraphics-batik-slideshow-1.9-lp151.6.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"xmlgraphics-batik-squiggle-1.9-lp151.6.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"xmlgraphics-batik-svgpp-1.9-lp151.6.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"xmlgraphics-batik-ttf2svg-1.9-lp151.6.3.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"xmlgraphics-batik / xmlgraphics-batik-demo / etc\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-10T14:50:40", "description": "The IBM WebSphere Application Server running on the remote host is version 8.0.0.0 through 8.0.0.15, 8.5.0.x prior to 8.5.5.18, or 9.0.x prior to 9.0.5.5. It is, therefore, affected by a server-side request forgery vulnerability due to improper input validation by the xlink:href attributes. An unauthenticated, remote attacker can exploit this to cause the underlying server to make arbitrary GET requests.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-10-30T00:00:00", "type": "nessus", "title": "IBM WebSphere Application Server 8.0.0.x <= 8.0.0.15 / 8.5.x < 8.5.5.18 / 9.0.x < 9.0.5.5 SSRF (CVE-2019-17566)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17566"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/a:ibm:websphere_application_server"], "id": "WEBSPHERE_6322683.NASL", "href": "https://www.tenable.com/plugins/nessus/142059", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(142059);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2019-17566\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0004\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n\n script_name(english:\"IBM WebSphere Application Server 8.0.0.x <= 8.0.0.15 / 8.5.x < 8.5.5.18 / 9.0.x < 9.0.5.5 SSRF (CVE-2019-17566)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web application server is affected by a server-side request forgery vulnerability\");\n script_set_attribute(attribute:\"description\", value:\n\"The IBM WebSphere Application Server running on the remote host is version 8.0.0.0 through 8.0.0.15, 8.5.0.x prior to\n8.5.5.18, or 9.0.x prior to 9.0.5.5. It is, therefore, affected by a server-side request forgery vulnerability due to\nimproper input validation by the xlink:href attributes. An unauthenticated, remote attacker can exploit this to cause\nthe underlying server to make arbitrary GET requests.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.ibm.com/support/pages/node/6322683\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to IBM WebSphere Application Server 8.5.5.18, 9.0.5.5, or later. Alternatively, upgrade to the minimal fix pack\nlevels required by the interim fix and then apply Interim Fix PH26761.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-17566\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/08/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/08/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/10/30\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:ibm:websphere_application_server\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Web Servers\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"websphere_detect.nasl\", \"ibm_enum_products.nbin\", \"ibm_websphere_application_server_nix_installed.nbin\");\n script_require_keys(\"installed_sw/IBM WebSphere Application Server\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\napp = 'IBM WebSphere Application Server';\nfix = 'Interim Fix PH26761';\n\napp_info = vcf::combined_get_app_info(app:app);\nvcf::check_granularity(app_info:app_info, sig_segments:4);\n\n# If the detection is only remote, Source will be set, and we should require paranoia\nif (!empty_or_null(app_info['Source']) && app_info['Source'] != 'unknown' && report_paranoia < 2)\n audit(AUDIT_PARANOID);\n\nif ('PH26761' >< app_info['Fixes'])\n audit(AUDIT_INST_VER_NOT_VULN, app);\n\nconstraints = [\n {'min_version':'8.0.0.0', 'max_version':'8.0.0.15', 'fixed_display':fix},\n {'min_version':'8.5.0.0', 'max_version':'8.5.5.17', 'fixed_display':'8.5.5.18 or ' + fix},\n {'min_version':'9.0.0.0', 'max_version':'9.0.5.4', 'fixed_display':'9.0.5.5 or ' + fix}\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-01-11T15:18:23", "description": "Updates to the latest upstream release of Eclipse. See the upstream release notes for details:\nhttps://www.eclipse.org/eclipseide/2020-06/noteworthy/\n\nAlso contains security fixes for CVE-2019-17566 and CVE-2019-17638.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.5}, "published": "2020-09-01T00:00:00", "type": "nessus", "title": "Fedora 32 : 1:ecj / 1:eclipse / 1:eclipse-emf / 2:eclipse-cdt / batik / etc (2020-cf8ef2f333)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17566", "CVE-2019-17638"], "modified": "2022-12-07T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:1:ecj", "p-cpe:/a:fedoraproject:fedora:1:eclipse", "p-cpe:/a:fedoraproject:fedora:1:eclipse-emf", "p-cpe:/a:fedoraproject:fedora:2:eclipse-cdt", "p-cpe:/a:fedoraproject:fedora:batik", "p-cpe:/a:fedoraproject:fedora:eclipse-ecf", "p-cpe:/a:fedoraproject:fedora:eclipse-gef", "p-cpe:/a:fedoraproject:fedora:eclipse-m2e-core", "p-cpe:/a:fedoraproject:fedora:eclipse-mpc", "p-cpe:/a:fedoraproject:fedora:eclipse-mylyn", "p-cpe:/a:fedoraproject:fedora:eclipse-remote", "p-cpe:/a:fedoraproject:fedora:eclipse-webtools", "p-cpe:/a:fedoraproject:fedora:jetty", "p-cpe:/a:fedoraproject:fedora:lucene", "p-cpe:/a:fedoraproject:fedora:univocity-parsers", "cpe:/o:fedoraproject:fedora:32"], "id": "FEDORA_2020-CF8EF2F333.NASL", "href": "https://www.tenable.com/plugins/nessus/140107", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2020-cf8ef2f333.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(140107);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/07\");\n\n script_cve_id(\"CVE-2019-17566\", \"CVE-2019-17638\");\n script_xref(name:\"FEDORA\", value:\"2020-cf8ef2f333\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0004\");\n\n script_name(english:\"Fedora 32 : 1:ecj / 1:eclipse / 1:eclipse-emf / 2:eclipse-cdt / batik / etc (2020-cf8ef2f333)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Fedora host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Updates to the latest upstream release of Eclipse. See the upstream\nrelease notes for details:\nhttps://www.eclipse.org/eclipseide/2020-06/noteworthy/\n\nAlso contains security fixes for CVE-2019-17566 and CVE-2019-17638.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2020-cf8ef2f333\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:1:ecj\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:1:eclipse\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:1:eclipse-emf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:2:eclipse-cdt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:batik\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:eclipse-ecf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:eclipse-gef\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:eclipse-m2e-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:eclipse-mpc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:eclipse-mylyn\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:eclipse-remote\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:eclipse-webtools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:jetty\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:lucene\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:univocity-parsers\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:32\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/07/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/08/31\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/09/01\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^32([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 32\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC32\", reference:\"ecj-4.16-4.fc32\", epoch:\"1\")) flag++;\nif (rpm_check(release:\"FC32\", reference:\"eclipse-4.16-11.fc32\", epoch:\"1\")) flag++;\nif (rpm_check(release:\"FC32\", reference:\"eclipse-emf-2.22.0-2.fc32\", epoch:\"1\")) flag++;\nif (rpm_check(release:\"FC32\", reference:\"eclipse-cdt-9.11.1-8.fc32\", epoch:\"2\")) flag++;\nif (rpm_check(release:\"FC32\", reference:\"batik-1.13-1.fc32\")) flag++;\nif (rpm_check(release:\"FC32\", reference:\"eclipse-ecf-3.14.8-4.fc32\")) flag++;\nif (rpm_check(release:\"FC32\", reference:\"eclipse-gef-3.11.0-13.fc32\")) flag++;\nif (rpm_check(release:\"FC32\", reference:\"eclipse-m2e-core-1.16.1-1.fc32\")) flag++;\nif (rpm_check(release:\"FC32\", reference:\"eclipse-mpc-1.8.3-2.fc32\")) flag++;\nif (rpm_check(release:\"FC32\", reference:\"eclipse-mylyn-3.25.0-3.fc32\")) flag++;\nif (rpm_check(release:\"FC32\", reference:\"eclipse-remote-3.0.1-6.fc32\")) flag++;\nif (rpm_check(release:\"FC32\", reference:\"eclipse-webtools-3.18.0-4.fc32\")) flag++;\nif (rpm_check(release:\"FC32\", reference:\"jetty-9.4.31-2.fc32\")) flag++;\nif (rpm_check(release:\"FC32\", reference:\"lucene-8.4.1-9.fc32\")) flag++;\nif (rpm_check(release:\"FC32\", reference:\"univocity-parsers-2.8.4-5.fc32\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"1:ecj / 1:eclipse / 1:eclipse-emf / 2:eclipse-cdt / batik / etc\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-07T15:19:33", "description": "The All Supported Versions versions of GoldenGate installed on the remote host are affected by multiple vulnerabilities as referenced in the October 2021 CPU advisory.\n\n - Vulnerability in Oracle GoldenGate (component: Install (Dell BSAFE Crypto-J)). The supported version that is affected is Prior to 19.1.0.0.0.210420. Easily exploitable vulnerability allows unauthenticated attacker with network access via Oracle Net to compromise Oracle GoldenGate. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle GoldenGate accessible data. (CVE-2019-3740)\n\n - Security-in-Depth issue in Oracle GoldenGate (component: Install (jQuery)). This vulnerability cannot be exploited in the context of this product. (CVE-2020-11023) \n - Security-in-Depth issue in Oracle GoldenGate (component: General (Apache Batik)). This vulnerability cannot be exploited in the context of this product. (CVE-2020-11987)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2021-10-22T00:00:00", "type": "nessus", "title": "Oracle GoldenGate (Oct 2021 CPU)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-4969", "CVE-2012-6708", "CVE-2015-9251", "CVE-2018-10237", "CVE-2019-11358", "CVE-2019-17566", "CVE-2019-3738", "CVE-2019-3739", "CVE-2019-3740", "CVE-2020-11022", "CVE-2020-11023", "CVE-2020-11987", "CVE-2020-8908"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/a:oracle:fusion_middleware", "cpe:/a:oracle:goldengate"], "id": "ORACLE_GOLDENGATE_CPU_OCT_2021.NASL", "href": "https://www.tenable.com/plugins/nessus/154342", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(154342);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2011-4969\",\n \"CVE-2012-6708\",\n \"CVE-2015-9251\",\n \"CVE-2018-10237\",\n \"CVE-2019-3738\",\n \"CVE-2019-3739\",\n \"CVE-2019-3740\",\n \"CVE-2019-11358\",\n \"CVE-2019-17566\",\n \"CVE-2020-8908\",\n \"CVE-2020-11022\",\n \"CVE-2020-11023\",\n \"CVE-2020-11987\"\n );\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0004\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n\n script_name(english:\"Oracle GoldenGate (Oct 2021 CPU)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is affected by multiple vulnerabilities\");\n script_set_attribute(attribute:\"description\", value:\n\"The All Supported Versions versions of GoldenGate installed on the remote host are affected by multiple vulnerabilities\nas referenced in the October 2021 CPU advisory.\n\n - Vulnerability in Oracle GoldenGate (component: Install (Dell BSAFE Crypto-J)). The supported version that is\n affected is Prior to 19.1.0.0.0.210420. Easily exploitable vulnerability allows unauthenticated attacker with\n network access via Oracle Net to compromise Oracle GoldenGate. Successful attacks require human interaction\n from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized\n access to critical data or complete access to all Oracle GoldenGate accessible data. (CVE-2019-3740)\n\n - Security-in-Depth issue in Oracle GoldenGate (component: Install (jQuery)). This vulnerability cannot be\n exploited in the context of this product. (CVE-2020-11023)\n \n - Security-in-Depth issue in Oracle GoldenGate (component: General (Apache Batik)). This vulnerability cannot \n be exploited in the context of this product. (CVE-2020-11987)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.oracle.com/a/tech/docs/cpuoct2021cvrf.xml\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.oracle.com/security-alerts/cpuoct2021.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate patch according to the October 2021 Oracle Critical Patch Update advisory.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-11987\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/10/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/10/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/10/22\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:fusion_middleware\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:goldengate\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"oracle_goldengate_installed.nbin\");\n script_require_keys(\"Oracle/GoldenGate/Installed\");\n\n exit(0);\n}\n\ninclude('vcf_extras_oracle.inc');\n\nvar app_info = vcf::oracle_goldengate::get_app_info();\n\nvar constraints = [\n {\n 'min_version' : '19.1' ,\n 'fixed_version' : '19.1.0.0.211019',\n 'fixed_display' : '19.1.0.0.211019 (33376981 / 33376978 / 33376975 / 33376964)'\n }\n];\n\nvcf::check_version_and_report(\n app_info:app_info,\n constraints:constraints,\n severity:SECURITY_WARNING\n);\n", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2023-02-24T08:33:19", "description": "The version of Oracle WebLogic Server installed on the remote host is missing a security patch from the July 2022 Critical Patch Update (CPU). It is, therefore, affected by multiple vulnerabilities, including:\n\n - Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Third Party Tools, Samples (Spring Framework)). Supported versions that are affected are 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. (CVE-2022-22965)\n\n - Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Centralized Third Party Jars (OWASP Enterprise Security API)). Supported versions that are affected are 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. (CVE-2022-23457)\n\n - Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Centralized Third Party Jars (Apache Maven)). Supported versions that are affected are 12.2.1.3.0 and 12.2.1.4.0.\n Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle WebLogic Server accessible data as well as unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. (CVE-2021-26291)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-20T00:00:00", "type": "nessus", "title": "Oracle WebLogic Server (Jul 2022 CPU)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17566", "CVE-2020-11987", "CVE-2020-2351", "CVE-2020-28491", "CVE-2020-36518", "CVE-2021-23450", "CVE-2021-26291", "CVE-2021-40690", "CVE-2022-21548", "CVE-2022-21557", "CVE-2022-21560", "CVE-2022-21564", "CVE-2022-22965", "CVE-2022-23457", "CVE-2022-24839", "CVE-2022-29577"], "modified": "2023-01-18T00:00:00", "cpe": ["cpe:/a:oracle:fusion_middleware", "cpe:/a:oracle:weblogic_server"], "id": "ORACLE_WEBLOGIC_SERVER_CPU_JUL_2022.NASL", "href": "https://www.tenable.com/plugins/nessus/163298", "sourceData": "##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(163298);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/18\");\n\n script_cve_id(\n \"CVE-2019-17566\",\n \"CVE-2020-2351\",\n \"CVE-2020-11987\",\n \"CVE-2020-28491\",\n \"CVE-2020-36518\",\n \"CVE-2021-23450\",\n \"CVE-2021-26291\",\n \"CVE-2021-40690\",\n \"CVE-2022-21548\",\n \"CVE-2022-21557\",\n \"CVE-2022-21560\",\n \"CVE-2022-21564\",\n \"CVE-2022-22965\",\n \"CVE-2022-23457\",\n \"CVE-2022-24839\",\n \"CVE-2022-29577\"\n );\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/25\");\n script_xref(name:\"IAVA\", value:\"2022-A-0285\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0004\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n\n script_name(english:\"Oracle WebLogic Server (Jul 2022 CPU)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An application server installed on the remote host is affected by multiple vulnerabilities\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Oracle WebLogic Server installed on the remote host is missing a security patch from the July 2022\nCritical Patch Update (CPU). It is, therefore, affected by multiple vulnerabilities, including:\n\n - Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Third Party\n Tools, Samples (Spring Framework)). Supported versions that are affected are 12.2.1.3.0, 12.2.1.4.0 and\n 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP\n to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of\n Oracle WebLogic Server. (CVE-2022-22965)\n\n - Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Centralized\n Third Party Jars (OWASP Enterprise Security API)). Supported versions that are affected are 12.2.1.3.0,\n 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network\n access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result\n in takeover of Oracle WebLogic Server. (CVE-2022-23457)\n\n - Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Centralized\n Third Party Jars (Apache Maven)). Supported versions that are affected are 12.2.1.3.0 and 12.2.1.4.0.\n Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to\n compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized\n creation, deletion or modification access to critical data or all Oracle WebLogic Server accessible data\n as well as unauthorized access to critical data or complete access to all Oracle WebLogic Server\n accessible data. (CVE-2021-26291)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.oracle.com/docs/tech/security-alerts/cpujul2022cvrf.xml\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.oracle.com/security-alerts/cpujul2022.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate patch according to the July 2022 Oracle Critical Patch Update advisory.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-23457\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Spring Framework Class property RCE (Spring4Shell)');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/07/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/07/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/07/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:fusion_middleware\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:weblogic_server\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"oracle_weblogic_server_installed.nbin\", \"os_fingerprint.nasl\");\n script_require_keys(\"installed_sw/Oracle WebLogic Server\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras_oracle.inc');\n\nvar app_info = vcf::oracle_weblogic::get_app_info();\n\nvar constraints = [\n { 'min_version' : '12.2.1.3.0', 'fixed_version' : '12.2.1.3.220620', 'fixed_display' : '34298772 or 34373534' },\n { 'min_version' : '12.2.1.4.0', 'fixed_version' : '12.2.1.4.220602', 'fixed_display' : '34236279 or 34373563' },\n { 'min_version' : '14.1.1.0.0', 'fixed_version' : '14.1.1.0.220727', 'fixed_display' : '34429365 or 34445145' }\n];\n\nvcf::oracle_weblogic::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T14:52:44", "description": "The versions of Oracle Database Server installed on the remote host are affected by multiple vulnerabilities as referenced in the July 2021 CPU advisory.\n\n - Vulnerability in the Advanced Networking Option component of Oracle Database Server. Supported versions that are affected are 12.1.0.2 and 19c. Difficult to exploit vulnerability allows unauthenticated attacker with network access via Oracle Net to compromise Advanced Networking Option. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Advanced Networking Option, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Advanced Networking Option. (CVE-2021-2351)\n\n - Vulnerability in the Oracle Text component of Oracle Database Server. Supported versions that are affected are 12.1.0.2 and 19c. Easily exploitable vulnerability allows high privileged attacker having Create Any Procedure, Alter Any Table privilege with network access via Oracle Net to compromise Oracle Text.\n Successful attacks of this vulnerability can result in takeover of Oracle Text. (CVE-2021-2328)\n\n - Vulnerability in the Oracle XML DB component of Oracle Database Server. Supported versions that are affected are 12.1.0.2 and 19c. Easily exploitable vulnerability allows high privileged attacker having Create Any Procedure, Create Public Synonym privilege with network access via Oracle Net to compromise Oracle XML DB. Successful attacks of this vulnerability can result in takeover of Oracle XML DB.\n (CVE-2021-2329)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-23T00:00:00", "type": "nessus", "title": "Oracle Database Server Multiple Vulnerabilities (Jul 2021 CPU)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 8.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 8.5, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-21010", "CVE-2019-12415", "CVE-2019-12973", "CVE-2019-17545", "CVE-2019-17566", "CVE-2020-10543", "CVE-2020-10878", "CVE-2020-11987", "CVE-2020-11988", "CVE-2020-12723", "CVE-2020-13956", "CVE-2020-15389", "CVE-2020-25649", "CVE-2020-26870", "CVE-2020-27193", "CVE-2020-27814", "CVE-2020-27841", "CVE-2020-27842", "CVE-2020-27843", "CVE-2020-27844", "CVE-2020-27845", "CVE-2020-28196", "CVE-2020-7760", "CVE-2020-8908", "CVE-2021-2326", "CVE-2021-2328", "CVE-2021-2329", "CVE-2021-2330", "CVE-2021-2333", "CVE-2021-23336", "CVE-2021-2334", "CVE-2021-2335", "CVE-2021-2336", "CVE-2021-2337", "CVE-2021-2351", "CVE-2021-2438", "CVE-2021-2460"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/a:oracle:database_server"], "id": "ORACLE_RDBMS_CPU_JUL_2021.NASL", "href": "https://www.tenable.com/plugins/nessus/152026", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(152026);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2018-21010\",\n \"CVE-2019-12415\",\n \"CVE-2019-12973\",\n \"CVE-2019-17545\",\n \"CVE-2019-17566\",\n \"CVE-2020-7760\",\n \"CVE-2020-8908\",\n \"CVE-2020-10543\",\n \"CVE-2020-10878\",\n \"CVE-2020-11987\",\n \"CVE-2020-11988\",\n \"CVE-2020-12723\",\n \"CVE-2020-13956\",\n \"CVE-2020-15389\",\n \"CVE-2020-25649\",\n \"CVE-2020-26870\",\n \"CVE-2020-27193\",\n \"CVE-2020-27814\",\n \"CVE-2020-27841\",\n \"CVE-2020-27842\",\n \"CVE-2020-27843\",\n \"CVE-2020-27844\",\n \"CVE-2020-27845\",\n \"CVE-2020-28196\",\n \"CVE-2021-2326\",\n \"CVE-2021-2328\",\n \"CVE-2021-2329\",\n \"CVE-2021-2330\",\n \"CVE-2021-2333\",\n \"CVE-2021-2334\",\n \"CVE-2021-2335\",\n \"CVE-2021-2336\",\n \"CVE-2021-2337\",\n \"CVE-2021-2351\",\n \"CVE-2021-2438\",\n \"CVE-2021-2460\",\n \"CVE-2021-23336\"\n );\n script_xref(name:\"IAVA\", value:\"2021-A-0330-S\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0004\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0001\");\n\n script_name(english:\"Oracle Database Server Multiple Vulnerabilities (Jul 2021 CPU)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is running a database server which is affected by multiple vulnerabilities\");\n script_set_attribute(attribute:\"description\", value:\n\"The versions of Oracle Database Server installed on the remote host are affected by multiple vulnerabilities as\nreferenced in the July 2021 CPU advisory.\n\n - Vulnerability in the Advanced Networking Option component of Oracle Database Server. Supported versions\n that are affected are 12.1.0.2 and 19c. Difficult to exploit vulnerability allows unauthenticated attacker\n with network access via Oracle Net to compromise Advanced Networking Option. Successful attacks require\n human interaction from a person other than the attacker and while the vulnerability is in Advanced\n Networking Option, attacks may significantly impact additional products. Successful attacks of this\n vulnerability can result in takeover of Advanced Networking Option. (CVE-2021-2351)\n\n - Vulnerability in the Oracle Text component of Oracle Database Server. Supported versions that are affected\n are 12.1.0.2 and 19c. Easily exploitable vulnerability allows high privileged attacker having Create Any\n Procedure, Alter Any Table privilege with network access via Oracle Net to compromise Oracle Text.\n Successful attacks of this vulnerability can result in takeover of Oracle Text. (CVE-2021-2328)\n\n - Vulnerability in the Oracle XML DB component of Oracle Database Server. Supported versions that are\n affected are 12.1.0.2 and 19c. Easily exploitable vulnerability allows high privileged attacker having\n Create Any Procedure, Create Public Synonym privilege with network access via Oracle Net to compromise\n Oracle XML DB. Successful attacks of this vulnerability can result in takeover of Oracle XML DB.\n (CVE-2021-2329)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.oracle.com/a/tech/docs/cpujul2021cvrf.xml\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.oracle.com/security-alerts/cpujul2021.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate patch according to the July 2021 Oracle Critical Patch Update advisory.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-27844\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2019-17545\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/07/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/07/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/07/23\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:database_server\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Databases\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"oracle_rdbms_query_patch_info.nbin\", \"oracle_rdbms_patch_info.nbin\");\n\n exit(0);\n}\n\ninclude('vcf_extras_oracle.inc');\n\nvar app_info = vcf::oracle_rdbms::get_app_info();\n\nvar constraints = [\n # RDBMS:\n {'min_version': '19.0', 'fixed_version': '19.10.3.0.210720', 'missing_patch':'32923627', 'os':'unix', 'component':'db'},\n {'min_version': '19.0', 'fixed_version': '19.12.0.0.210720', 'missing_patch':'32832237', 'os':'win', 'component':'db'},\n {'min_version': '19.11', 'fixed_version': '19.11.1.0.210720', 'missing_patch':'32844504', 'os':'unix', 'component':'db'},\n {'min_version': '19.12', 'fixed_version': '19.12.0.0.210720', 'missing_patch':'32904851', 'os':'unix', 'component':'db'},\n \n {'min_version': '12.2.0.1.0', 'fixed_version': '12.2.0.1.210720', 'missing_patch':'32916808', 'os':'unix', 'component':'db'},\n {'min_version': '12.2.0.1.0', 'fixed_version': '12.2.0.1.210720', 'missing_patch':'32775037', 'os':'win', 'component':'db'},\n\n {'min_version': '12.1.0.2.0', 'fixed_version': '12.1.0.2.210720', 'missing_patch':'32768233, 32917362', 'os':'unix', 'component':'db'},\n {'min_version': '12.1.0.2.0', 'fixed_version': '12.1.0.2.210720', 'missing_patch':'32774982', 'os':'win', 'component':'db'},\n \n # OJVM:\n {'min_version': '19.0', 'fixed_version': '19.12.0.0.210720', 'missing_patch':'32876380', 'os':'unix', 'component':'ojvm'},\n {'min_version': '19.0', 'fixed_version': '19.12.0.0.210720', 'missing_patch':'32876380', 'os':'win', 'component':'ojvm'},\n\n {'min_version': '12.2.0.1.0', 'fixed_version': '12.2.0.1.210720', 'missing_patch':'32876409', 'os':'unix', 'component':'ojvm'},\n {'min_version': '12.2.0.1.0', 'fixed_version': '12.2.0.1.210720', 'missing_patch':'32905896', 'os':'win', 'component':'ojvm'},\n\n {'min_version': '12.1.0.2.0', 'fixed_version': '12.1.0.2.210720', 'missing_patch':'32876425', 'os':'unix', 'component':'ojvm'},\n {'min_version': '12.1.0.2.0', 'fixed_version': '12.1.0.2.210720', 'missing_patch':'32905878', 'os':'win', 'component':'ojvm'}\n];\n\nvcf::oracle_rdbms::check_version_and_report(\n app_info:app_info,\n constraints:constraints,\n severity:SECURITY_HOLE\n);\n\n", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}], "suse": [{"lastseen": "2022-11-10T08:11:00", "description": "An update that fixes one vulnerability is now available.\n\nDescription:\n\n This update for xmlgraphics-batik fixes the following issues:\n\n - CVE-2019-17566: Fixed a SSRF which might have allowed the underlying\n server to make arbitrary GET requests (bsc#1172961).\n\n This update was imported from the SUSE:SLE-15-SP1:Update update project.\n\n\nPatch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended installation methods\n like YaST online_update or \"zypper patch\".\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 15.1:\n\n zypper in -t patch openSUSE-2020-851=1", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-06-23T00:00:00", "type": "suse", "title": "Security update for xmlgraphics-batik (moderate)", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17566"], "modified": "2020-06-23T00:00:00", "id": "OPENSUSE-SU-2020:0851-1", "href": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/H26W7GQ5JCRMNMV6QRWEGLVRZVIXK3RB/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-11-08T04:09:41", "description": "An update that fixes one vulnerability is now available.\n\nDescription:\n\n This update for xmlgraphics-batik fixes the following issues:\n\n - CVE-2019-17566: Fixed a SSRF which might have allowed the underlying\n server to make arbitrary GET requests (bsc#1172961).\n\n This update was imported from the SUSE:SLE-15-SP1:Update update project.\n This update was imported from the openSUSE:Leap:15.1:Update update project.\n\n\nPatch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended installation methods\n like YaST online_update or \"zypper patch\".\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Backports SLE-15-SP1:\n\n zypper in -t patch openSUSE-2020-1043=1", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-07-23T00:00:00", "type": "suse", "title": "Security update for xmlgraphics-batik (moderate)", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17566"], "modified": "2020-07-23T00:00:00", "id": "OPENSUSE-SU-2020:1043-1", "href": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/JIOZHMTGG4ETJEMBNIT3YKEQUXO3JNEJ/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "cve": [{"lastseen": "2023-02-09T14:39:39", "description": "Apache Batik is vulnerable to server-side request forgery, caused by improper input validation by the \"xlink:href\" attributes. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-11-12T18:15:00", "type": "cve", "title": "CVE-2019-17566", "cwe": ["CWE-918"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17566"], "modified": "2022-12-06T21:18:00", "cpe": ["cpe:/a:oracle:communications_metasolv_solution:6.3.1", "cpe:/a:oracle:enterprise_repository:11.1.1.7.0", "cpe:/a:oracle:retail_point-of-service:14.1", "cpe:/a:oracle:retail_order_broker:16.0", "cpe:/a:oracle:business_intelligence:12.2.1.4.0", "cpe:/a:oracle:communications_offline_mediation_controller:12.0.0.3.0", "cpe:/a:oracle:jd_edwards_enterpriseone_tools:9.2.4.2", "cpe:/a:oracle:fusion_middleware_mapviewer:12.2.1.4.0", "cpe:/a:oracle:retail_returns_management:14.1", "cpe:/a:oracle:retail_integration_bus:15.0.3", "cpe:/a:oracle:business_intelligence:12.2.1.3.0", "cpe:/a:oracle:business_intelligence:5.5.0.0.0", "cpe:/a:oracle:retail_order_broker:15.0", "cpe:/a:oracle:communications_application_session_controller:3.9m0p2", "cpe:/a:oracle:hyperion_financial_reporting:11.1.2.4", "cpe:/a:oracle:financial_services_analytical_applications_infrastructure:8.1.0", "cpe:/a:oracle:instantis_enterprisetrack:17.3", "cpe:/a:oracle:hyperion_financial_reporting:11.2.5.0", "cpe:/a:oracle:hospitality_opera_5:5.6", "cpe:/a:oracle:business_intelligence:5.9.0.0.0", "cpe:/a:oracle:api_gateway:11.1.2.4.0", "cpe:/a:oracle:retail_order_management_system_cloud_service:19.5", "cpe:/a:oracle:hospitality_opera_5:5.5"], "id": "CVE-2019-17566", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-17566", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:oracle:communications_offline_mediation_controller:12.0.0.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:instantis_enterprisetrack:17.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_order_broker:16.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:fusion_middleware_mapviewer:12.2.1.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2.4.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:hyperion_financial_reporting:11.2.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:hospitality_opera_5:5.6:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:api_gateway:11.1.2.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:hyperion_financial_reporting:11.1.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:hospitality_opera_5:5.5:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_application_session_controller:3.9m0p2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:business_intelligence:5.9.0.0.0:*:*:*:enterprise:*:*:*", "cpe:2.3:a:oracle:enterprise_repository:11.1.1.7.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_point-of-service:14.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_metasolv_solution:6.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:business_intelligence:5.5.0.0.0:*:*:*:enterprise:*:*:*", "cpe:2.3:a:oracle:retail_returns_management:14.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:business_intelligence:12.2.1.4.0:*:*:*:enterprise:*:*:*", "cpe:2.3:a:oracle:retail_integration_bus:15.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:business_intelligence:12.2.1.3.0:*:*:*:enterprise:*:*:*", "cpe:2.3:a:oracle:retail_order_broker:15.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_order_management_system_cloud_service:19.5:*:*:*:*:*:*:*"]}], "ubuntucve": [{"lastseen": "2023-01-27T13:38:47", "description": "Apache Batik is vulnerable to server-side request forgery, caused by\nimproper input validation by the \"xlink:href\" attributes. By using a\nspecially-crafted argument, an attacker could exploit this vulnerability to\ncause the underlying server to make arbitrary GET requests.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-11-12T00:00:00", "type": "ubuntucve", "title": "CVE-2019-17566", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17566"], "modified": "2020-11-12T00:00:00", "id": "UB:CVE-2019-17566", "href": "https://ubuntu.com/security/CVE-2019-17566", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "redhatcve": [{"lastseen": "2023-03-09T16:00:10", "description": "A flaw was found in the Apache Batik library, where it is vulnerable to a Server-Side Request Forgery attack (SSRF) via \"xlink:href\" attributes. This flaw allows an attacker to cause the underlying server to make arbitrary GET requests. The highest threat from this vulnerability is to system integrity.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-06-18T15:55:19", "type": "redhatcve", "title": "CVE-2019-17566", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17566"], "modified": "2023-03-09T15:24:29", "id": "RH:CVE-2019-17566", "href": "https://access.redhat.com/security/cve/cve-2019-17566", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "openvas": [{"lastseen": "2020-06-25T13:30:39", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2020-06-23T00:00:00", "type": "openvas", "title": "openSUSE: Security Advisory for xmlgraphics-batik (openSUSE-SU-2020:0851-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-17566"], "modified": "2020-06-24T00:00:00", "id": "OPENVAS:1361412562310853223", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310853223", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.853223\");\n script_version(\"2020-06-24T03:42:18+0000\");\n script_cve_id(\"CVE-2019-17566\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"last_modification\", value:\"2020-06-24 03:42:18 +0000 (Wed, 24 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-06-23 03:00:55 +0000 (Tue, 23 Jun 2020)\");\n script_name(\"openSUSE: Security Advisory for xmlgraphics-batik (openSUSE-SU-2020:0851-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap15\\.1\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2020:0851-1\");\n script_xref(name:\"URL\", value:\"http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00042.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'xmlgraphics-batik'\n package(s) announced via the openSUSE-SU-2020:0851-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This update for xmlgraphics-batik fixes the following issues:\n\n - CVE-2019-17566: Fixed a SSRF which might have allowed the underlying\n server to make arbitrary GET requests (bsc#1172961).\n\n This update was imported from the SUSE:SLE-15-SP1:Update update project.\n\n\n Patch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended\n installation methods\n like YaST online_update or 'zypper patch'.\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 15.1:\n\n zypper in -t patch openSUSE-2020-851=1\");\n\n script_tag(name:\"affected\", value:\"'xmlgraphics-batik' package(s) on openSUSE Leap 15.1.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap15.1\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"xmlgraphics-batik\", rpm:\"xmlgraphics-batik~1.9~lp151.6.3.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xmlgraphics-batik-demo\", rpm:\"xmlgraphics-batik-demo~1.9~lp151.6.3.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xmlgraphics-batik-rasterizer\", rpm:\"xmlgraphics-batik-rasterizer~1.9~lp151.6.3.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xmlgraphics-batik-slideshow\", rpm:\"xmlgraphics-batik-slideshow~1.9~lp151.6.3.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xmlgraphics-batik-squiggle\", rpm:\"xmlgraphics-batik-squiggle~1.9~lp151.6.3.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xmlgraphics-batik-svgpp\", rpm:\"xmlgraphics-batik-svgpp~1.9~lp151.6.3.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xmlgraphics-batik-ttf2svg\", rpm:\"xmlgraphics-batik-ttf2svg~1.9~lp151.6.3.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 0.0, "vector": "NONE"}}], "veracode": [{"lastseen": "2022-07-27T10:22:20", "description": "batik-svgrasterizer is vulnerable to server side request forgery (SSRF). It is possible as it does not prevent an attacker to make malicious GET requests on behalf of the server through the use of `xlink:href`attributes which allows access to internal resources.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-06-16T09:19:33", "type": "veracode", "title": "Server-side Request Forgery (SSRF)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17566"], "modified": "2022-07-25T21:04:57", "id": "VERACODE:25693", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-25693/summary", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "osv": [{"lastseen": "2023-03-14T05:47:44", "description": "Apache Batik is vulnerable to server-side request forgery, caused by improper input validation by the \"xlink:href\" attributes. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-02-09T00:46:46", "type": "osv", "title": "Server-side request forgery (SSRF) in Apache Batik", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17566"], "modified": "2023-03-14T05:47:41", "id": "OSV:GHSA-CMX4-P4V5-HMR5", "href": "https://osv.dev/vulnerability/GHSA-cmx4-p4v5-hmr5", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "fedora": [{"lastseen": "2021-07-28T14:46:51", "description": "Batik is a Java(tm) technology based toolkit for applications that want to use images in the Scalable Vector Graphics (SVG) format for various purposes, such as viewing, generation or manipulation. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "HIGH", "baseScore": 9.4, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.5}, "published": "2020-08-31T15:50:28", "type": "fedora", "title": "[SECURITY] Fedora 32 Update: batik-1.13-1.fc32", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17566", "CVE-2019-17638"], "modified": "2020-08-31T15:50:28", "id": "FEDORA:0D7F230979AB", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/N3V3MJVGDUNTVPXXGYR335PZJJK7LDXC/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T14:46:51", "description": "ECJ is the Java bytecode compiler of the Eclipse Platform. It is also know n as the JDT Core batch compiler. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "HIGH", "baseScore": 9.4, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.5}, "published": "2020-08-31T15:50:28", "type": "fedora", "title": "[SECURITY] Fedora 32 Update: ecj-4.16-4.fc32", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17566", "CVE-2019-17638"], "modified": "2020-08-31T15:50:28", "id": "FEDORA:85B0430979AB", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/VLWLODMFCKDKJ26QBIPK5AR3MQNOSPFG/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T14:46:51", "description": "Eclipse features and plugins that are useful for C and C++ development. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "HIGH", "baseScore": 9.4, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.5}, "published": "2020-08-31T15:50:28", "type": "fedora", "title": "[SECURITY] Fedora 32 Update: eclipse-cdt-9.11.1-8.fc32", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17566", "CVE-2019-17638"], "modified": "2020-08-31T15:50:28", "id": "FEDORA:BACE03098BA0", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/XE6OXX2AYSWZGK75IGU2LQS7LBEKKDFC/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T14:46:51", "description": "The Eclipse Modeling Framework (EMF) and XML Schema Definition (XSD) plug-i ns. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "HIGH", "baseScore": 9.4, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.5}, "published": "2020-08-31T15:50:28", "type": "fedora", "title": "[SECURITY] Fedora 32 Update: eclipse-emf-2.22.0-2.fc32", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17566", "CVE-2019-17638"], "modified": "2020-08-31T15:50:28", "id": "FEDORA:EDF1E309799A", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ABABGHU7WQLUFAROWJAVMWZ3ZM7UNIYN/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T14:46:51", "description": "ECF is a set of frameworks for building communications into applications and services. It provides a lightweight, modular, transport-independent, fully compliant implementation of the OSGi Remote Services standard. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "HIGH", "baseScore": 9.4, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.5}, "published": "2020-08-31T15:50:28", "type": "fedora", "title": "[SECURITY] Fedora 32 Update: eclipse-ecf-3.14.8-4.fc32", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17566", "CVE-2019-17638"], "modified": "2020-08-31T15:50:28", "id": "FEDORA:D4B143098BA2", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KZITNZIUYSH7CL7XAB4F5JXXHOYWLLWF/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T14:46:51", "description": "The Graphical Editing Framework (GEF) allows developers to create a rich graphical editor from an existing application model. GEF is completely application neutral and provides the groundwork to build almost any application, including but not limited to: activity diagrams, GUI builders, class diagram editors, state machines, and even WYSIWYG text editors. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "HIGH", "baseScore": 9.4, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.5}, "published": "2020-08-31T15:50:29", "type": "fedora", "title": "[SECURITY] Fedora 32 Update: eclipse-gef-3.11.0-13.fc32", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17566", "CVE-2019-17638"], "modified": "2020-08-31T15:50:29", "id": "FEDORA:1364530979AB", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/G5NN7PR7XAFENH54SGKB2BN2LWNBLOML/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T14:46:51", "description": "The goal of the m2ec project is to provide a first-class Apache Maven suppo rt in the Eclipse IDE, making it easier to edit Maven's pom.xml, run a build f rom the IDE and much more. For Java developers, the very tight integration with JDT greatly simplifies the consumption of Java artifacts either being hosted on open source repositories such as Maven Central, or in your in-house Maven reposi tory. m2e is also a platform that let others provide better integration with additional Maven plugins (e.g. Android, web development, etc.), and facilit ates the distribution of those extensions through the m2e marketplace. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "HIGH", "baseScore": 9.4, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.5}, "published": "2020-08-31T15:50:29", "type": "fedora", "title": "[SECURITY] Fedora 32 Update: eclipse-m2e-core-1.16.1-1.fc32", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17566", "CVE-2019-17638"], "modified": "2020-08-31T15:50:29", "id": "FEDORA:2BD533098BA0", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4KSWIWOCHSM44NPNJXPEMVWUP4MNY4SL/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T14:46:51", "description": "The Eclipse Marketplace Client provides access to extension catalogs. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "HIGH", "baseScore": 9.4, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.5}, "published": "2020-08-31T15:50:29", "type": "fedora", "title": "[SECURITY] Fedora 32 Update: eclipse-mpc-1.8.3-2.fc32", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17566", "CVE-2019-17638"], "modified": "2020-08-31T15:50:29", "id": "FEDORA:49205309799A", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/SNUZYQI72GXVRLAXBPDX2AMJ7JNEQSKF/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T14:46:51", "description": "Mylyn integrates task support into Eclipse. It supports offline editing for certain task repositories and monitors work activity to hide information that is not relevant to the current task. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "HIGH", "baseScore": 9.4, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.5}, "published": "2020-08-31T15:50:29", "type": "fedora", "title": "[SECURITY] Fedora 32 Update: eclipse-mylyn-3.25.0-3.fc32", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17566", "CVE-2019-17638"], "modified": "2020-08-31T15:50:29", "id": "FEDORA:61A713098ED5", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/DUVW7XMW4GUBOXWKE3HY6J7JQCKHDUTY/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T14:46:51", "description": "Remote Services provides an extensible remote services framework. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "HIGH", "baseScore": 9.4, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.5}, "published": "2020-08-31T15:50:29", "type": "fedora", "title": "[SECURITY] Fedora 32 Update: eclipse-remote-3.0.1-6.fc32", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17566", "CVE-2019-17638"], "modified": "2020-08-31T15:50:29", "id": "FEDORA:7A1EA3098BA2", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CYHSEP2KQHZB4RIY4CH3YRIDJ23HZWIL/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T14:46:51", "description": "Eclipse Webtools. This contains sub-packages for different sub-projects of Eclipse Webtools project, including Server Tools, SourceEditing Tools, Webservices Tools, Java EE Tools, JSF Tools, and Dali (JPA) Tools. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "HIGH", "baseScore": 9.4, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.5}, "published": "2020-08-31T15:50:29", "type": "fedora", "title": "[SECURITY] Fedora 32 Update: eclipse-webtools-3.18.0-4.fc32", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17566", "CVE-2019-17638"], "modified": "2020-08-31T15:50:29", "id": "FEDORA:94A8C309799A", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/GYWVBWBZ2A7YYHKHMDFFU53PQZXFQT4Z/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T14:46:51", "description": " Jetty is a 100% Java HTTP Server and Servlet Container. This means that you do not need to configure and run a separate web server (like Apache) in ord er to use Java, servlets and JSPs to generate dynamic content. Jetty is a fully featured web server for static and dynamic content. Unlike separate server/container solutions, this means that your web server and web application run in the same process, without interconnection overheads and complications. Furthermore, as a pure java component, Jetty can be simp ly included in your application for demonstration, distribution or deployment. Jetty is available on all Java supported platforms. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "HIGH", "baseScore": 9.4, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.5}, "published": "2020-08-31T15:50:29", "type": "fedora", "title": "[SECURITY] Fedora 32 Update: jetty-9.4.31-2.fc32", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17566", "CVE-2019-17638"], "modified": "2020-08-31T15:50:29", "id": "FEDORA:AF19730979AB", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/LYCAMDYHCQXK5C2737VBXFCPEIVTHIT3/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T14:46:51", "description": "uniVocity-parsers is a suite of extremely fast and reliable parsers for Java. It provides a consistent interface for handling different file formats, and a solid framework for the development of new parsers. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "HIGH", "baseScore": 9.4, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.5}, "published": "2020-08-31T15:50:29", "type": "fedora", "title": "[SECURITY] Fedora 32 Update: univocity-parsers-2.8.4-5.fc32", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17566", "CVE-2019-17638"], "modified": "2020-08-31T15:50:29", "id": "FEDORA:E0E2C3098BA0", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FSVLOHVDA54H3E4OREVT7H5BXMBIUABW/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T14:46:51", "description": "The Eclipse platform is designed for building integrated development environments (IDEs), server-side applications, desktop applications, and everything in between. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "HIGH", "baseScore": 9.4, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.5}, "published": "2020-08-31T15:50:28", "type": "fedora", "title": "[SECURITY] Fedora 32 Update: eclipse-4.16-11.fc32", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17566", "CVE-2019-17638"], "modified": "2020-08-31T15:50:28", "id": "FEDORA:9F2FE3098B94", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/XE6US6VPZHOWFMUSFGDS5V2DNQPY5MKB/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T14:46:51", "description": "Apache Lucene is a high-performance, full-featured text search engine library written entirely in Java. It is a technology suitable for nearly any application that requires full-text search, especially cross-platform. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "HIGH", "baseScore": 9.4, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.5}, "published": "2020-08-31T15:50:29", "type": "fedora", "title": "[SECURITY] Fedora 32 Update: lucene-8.4.1-9.fc32", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17566", "CVE-2019-17638"], "modified": "2020-08-31T15:50:29", "id": "FEDORA:C6AD93098B94", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/QOZX3KV6DJMBTIWAWF2T7TJYOKD7NVTJ/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "mageia": [{"lastseen": "2022-04-18T11:19:35", "description": "A flaw was found in the Apache Batik library, where it is vulnerable to a Server-Side Request Forgery attack (SSRF) via \"xlink:href\" attributes. This flaw allows an attacker to cause the underlying server to make arbitrary GET requests. The highest threat from this vulnerability is to system integrity (CVE-2019-17566). The Apache Batik library is vulnerable to SSRF via the NodePickerPanel that allow an attacker to cause the underlying server to make arbitrary GET requests (CVE-2020-11987). \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2021-04-02T20:25:05", "type": "mageia", "title": "Updated batik packages fix security vulnerabilities\n", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17566", "CVE-2020-11987"], "modified": "2021-04-02T20:25:05", "id": "MGASA-2021-0168", "href": "https://advisories.mageia.org/MGASA-2021-0168.html", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}], "redhat": [{"lastseen": "2021-10-19T20:40:11", "description": "Red Hat Decision Manager is an open source decision management platform that combines business rules management, complex event processing, Decision Model & Notation (DMN) execution, and Business Optimizer for solving planning problems. It automates business decisions and makes that logic available to the entire business. \n\nThis release of Red Hat Decision Manager 7.9.0 serves as an update to Red Hat Decision Manager 7.8.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* hibernate: SQL injection issue in Hibernate ORM (CVE-2019-14900)\n\n* batik: SSRF via \"xlink:href\" (CVE-2019-17566)\n\n* Wildfly: Improper authorization issue in WildFlySecurityManager when using alternative protection domain (CVE-2020-1748)\n\n* ant: insecure temporary file vulnerability (CVE-2020-1945)\n\n* dom4j: XML External Entity vulnerability in default SAX parser (CVE-2020-10683)\n\n* hibernate-validator: Improper input validation in the interpolation of constraint error messages (CVE-2020-10693)\n\n* wildfly-elytron: session fixation when using FORM authentication (CVE-2020-10714)\n\n* cxf: JMX integration is vulnerable to a MITM attack (CVE-2020-1954)\n\n* mysql-connector-java: allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized update, insert or delete (CVE-2020-2875)\n\n* mysql-connector-java: allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized partial DoS (CVE-2020-2933)\n\n* mysql-connector-java: allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized update, insert or delete (CVE-2020-2934)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-11-05T18:43:06", "type": "redhat", "title": "(RHSA-2020:4960) Moderate: Red Hat Decision Manager 7.9.0 security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-14900", "CVE-2019-17566", "CVE-2020-10683", "CVE-2020-10693", "CVE-2020-10714", "CVE-2020-1748", "CVE-2020-1945", "CVE-2020-1954", "CVE-2020-2875", "CVE-2020-2933", "CVE-2020-2934"], "modified": "2020-11-05T18:43:54", "id": "RHSA-2020:4960", "href": "https://access.redhat.com/errata/RHSA-2020:4960", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-10-19T20:35:47", "description": "Red Hat Process Automation Manager is an open source business process management suite that combines process management and decision service management and enables business and IT users to create, manage, validate, and deploy process applications and decision services.\n\nThis release of Red Hat Process Automation Manager 7.9.0 serves as an update to Red Hat Process Automation Manager 7.8.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* hibernate: SQL injection issue in Hibernate ORM (CVE-2019-14900)\n\n* batik: SSRF via \"xlink:href\" (CVE-2019-17566)\n\n* Wildfly: Improper authorization issue in WildFlySecurityManager when using alternative protection domain (CVE-2020-1748)\n\n* ant: insecure temporary file vulnerability (CVE-2020-1945)\n\n* dom4j: XML External Entity vulnerability in default SAX parser (CVE-2020-10683)\n\n* hibernate-validator: Improper input validation in the interpolation of constraint error messages (CVE-2020-10693)\n\n* wildfly-elytron: session fixation when using FORM authentication (CVE-2020-10714)\n\n* cxf: JMX integration is vulnerable to a MITM attack (CVE-2020-1954)\n\n* mysql-connector-java: allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized update, insert or delete (CVE-2020-2875)\n\n* mysql-connector-java: allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized partial DoS (CVE-2020-2933)\n\n* mysql-connector-java: allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized update, insert or delete (CVE-2020-2934)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-11-05T18:44:42", "type": "redhat", "title": "(RHSA-2020:4961) Moderate: Red Hat Process Automation Manager 7.9.0 security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-14900", "CVE-2019-17566", "CVE-2020-10683", "CVE-2020-10693", "CVE-2020-10714", "CVE-2020-1748", "CVE-2020-1945", "CVE-2020-1954", "CVE-2020-2875", "CVE-2020-2933", "CVE-2020-2934"], "modified": "2020-11-05T18:45:25", "id": "RHSA-2020:4961", "href": "https://access.redhat.com/errata/RHSA-2020:4961", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-10-19T20:37:48", "description": "This release of Red Hat Fuse 7.8.0 serves as a replacement for Red Hat Fuse 7.7, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* libquartz: XXE attacks via job description (CVE-2019-13990)\n\n* jetty: double release of resource can lead to information disclosure (CVE-2019-17638)\n\n* keycloak: Lack of checks in ObjectInputStream leading to Remote Code Execution (CVE-2020-1714)\n\n* springframework: RFD attack via Content-Disposition Header sourced from request input by Spring MVC or Spring WebFlux Application (CVE-2020-5398)\n\n* wildfly: unsafe deserialization in Wildfly Enterprise Java Beans (CVE-2020-10740)\n\n* camel: RabbitMQ enables Java deserialization by default which could leed to remote code execution (CVE-2020-11972)\n\n* camel: Netty enables Java deserialization by default which could leed to remote code execution (CVE-2020-11973)\n\n* shiro: spring dynamic controllers, a specially crafted request may cause an authentication bypass (CVE-2020-11989)\n\n* camel: server-side template injection and arbitrary file disclosure on templating components (CVE-2020-11994)\n\n* postgresql-jdbc: XML external entity (XXE) vulnerability in PgSQLXML (CVE-2020-13692)\n\n* shiro: specially crafted HTTP request may cause an authentication bypass (CVE-2020-13933)\n\n* RESTEasy: Caching routes in RootNode may result in DoS (CVE-2020-14326)\n\n* jackson-modules-java8: DoS due to an Improper Input Validation (CVE-2018-1000873)\n\n* thrift: Endless loop when feed with specific input data (CVE-2019-0205)\n\n* thrift: Out-of-bounds read related to TJSONProtocol or TSimpleJSONProtocol (CVE-2019-0210)\n\n* mysql-connector-java: privilege escalation in MySQL connector (CVE-2019-2692)\n\n* spring-ws: XML External Entity Injection (XXE) when receiving XML data from untrusted sources (CVE-2019-3773)\n\n* spring-batch: XML External Entity Injection (XXE) when receiving XML data from untrusted sources (CVE-2019-3774)\n\n* codehaus: incomplete fix for unsafe deserialization in jackson-databind vulnerabilities (CVE-2019-10202)\n\n* hibernate-validator: safeHTML validator allows XSS (CVE-2019-10219)\n\n* org.eclipse.paho.client.mqttv3: Improper hostname validation in the MQTT library (CVE-2019-11777)\n\n* cxf: does not restrict the number of message attachments (CVE-2019-12406)\n\n* cxf: OpenId Connect token service does not properly validate the clientId (CVE-2019-12423)\n\n* hibernate: SQL injection issue in Hibernate ORM (CVE-2019-14900)\n\n* batik: SSRF via \"xlink:href\" (CVE-2019-17566)\n\n* Undertow: Memory Leak in Undertow HttpOpenListener due to holding remoting connections indefinitely (CVE-2019-19343)\n\n* Wildfly: EJBContext principal is not popped back after invoking another EJB using a different Security Domain (CVE-2020-1719)\n\n* apache-flink: JMX information disclosure vulnerability (CVE-2020-1960)\n\n* cryptacular: excessive memory allocation during a decode operation (CVE-2020-7226)\n\n* tika-core: Denial of Service Vulnerabilities in Some of Apache Tika's Parsers (CVE-2020-9489)\n\n* dom4j: XML External Entity vulnerability in default SAX parser (CVE-2020-10683)\n\n* netty: compression/decompression codecs don't enforce limits on buffer allocation sizes (CVE-2020-11612)\n\n* camel: DNS Rebinding in JMX Connector could result in remote command execution (CVE-2020-11971)\n\n* karaf: A remote client could create MBeans from arbitrary URLs (CVE-2020-11980)\n\n* tika: excessive memory usage in PSDParser (CVE-2020-1950)\n\n* log4j: improper validation of certificate with host mismatch in SMTP appender (CVE-2020-9488)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-12-16T12:07:05", "type": "redhat", "title": "(RHSA-2020:5568) Important: Red Hat Fuse 7.8.0 release and security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-1000873", "CVE-2019-0205", "CVE-2019-0210", "CVE-2019-10202", "CVE-2019-10219", "CVE-2019-10768", "CVE-2019-11777", "CVE-2019-12406", "CVE-2019-12423", "CVE-2019-13990", "CVE-2019-14900", "CVE-2019-17566", "CVE-2019-17638", "CVE-2019-19343", "CVE-2019-2692", "CVE-2019-3773", "CVE-2019-3774", "CVE-2020-10683", "CVE-2020-10740", "CVE-2020-11612", "CVE-2020-11971", "CVE-2020-11972", "CVE-2020-11973", "CVE-2020-11980", "CVE-2020-11989", "CVE-2020-11994", "CVE-2020-13692", "CVE-2020-13933", "CVE-2020-14326", "CVE-2020-1714", "CVE-2020-1719", "CVE-2020-1950", "CVE-2020-1960", "CVE-2020-5398", "CVE-2020-5410", "CVE-2020-7226", "CVE-2020-7676", "CVE-2020-9488", "CVE-2020-9489"], "modified": "2021-06-29T15:22:55", "id": "RHSA-2020:5568", "href": "https://access.redhat.com/errata/RHSA-2020:5568", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "oracle": [{"lastseen": "2022-10-24T19:59:11", "description": "A Critical Patch Update is a collection of patches for multiple security vulnerabilities. These patches address vulnerabilities in Oracle code and in third-party components included in Oracle products. These patches are usually cumulative, but each advisory describes only the security patches added since the previous Critical Patch Update Advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security patches. Refer to [\u201cCritical Patch Updates, Security Alerts and Bulletins\u201d](<https://www.oracle.com/security-alerts/>) for information about Oracle Security advisories. \n\n**Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update security patches without delay.**\n\nThis Critical Patch Update contains 329 new security patches across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at [ January 2021 Critical Patch Update: Executive Summary and Analysis](<https://support.oracle.com/rs?type=doc&id=2739494.1>).\n\n**Please note that since the release of the October 2020 Critical Patch Update, Oracle has released a Security Alert for Oracle WebLogic Server: [CVE-2020-14750 (November 1, 2020)](<https://www.oracle.com/security-alerts/alert-cve-2020-14750.html>). Customers are strongly advised to apply this Critical Patch Update, which includes patches for this Alert as well as additional patches.**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-19T00:00:00", "type": "oracle", "title": "Oracle Critical Patch Update Advisory - January 2021", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-2098", "CVE-2015-4000", "CVE-2015-8965", "CVE-2016-1000031", "CVE-2016-5725", "CVE-2017-12626", "CVE-2017-5611", "CVE-2017-5645", "CVE-2017-8028", "CVE-2018-0732", "CVE-2018-10237", "CVE-2018-11775", "CVE-2018-1258", "CVE-2018-1285", "CVE-2018-15756", "CVE-2018-20781", "CVE-2018-2587", "CVE-2018-7318", "CVE-2018-8032", "CVE-2018-9019", "CVE-2019-0188", "CVE-2019-0227", "CVE-2019-0230", "CVE-2019-0233", "CVE-2019-10086", "CVE-2019-10173", "CVE-2019-10246", "CVE-2019-10247", "CVE-2019-10744", "CVE-2019-11135", "CVE-2019-11269", "CVE-2019-11358", "CVE-2019-12399", "CVE-2019-12402", "CVE-2019-12415", "CVE-2019-13990", "CVE-2019-14862", "CVE-2019-1551", "CVE-2019-1559", "CVE-2019-17091", "CVE-2019-17195", "CVE-2019-17359", "CVE-2019-17563", "CVE-2019-17566", "CVE-2019-17569", "CVE-2019-20892", "CVE-2019-20907", "CVE-2019-2697", "CVE-2019-3773", "CVE-2019-3778", "CVE-2019-5427", "CVE-2019-7164", "CVE-2019-7548", "CVE-2019-9511", "CVE-2019-9513", "CVE-2020-10531", "CVE-2020-10543", "CVE-2020-10650", "CVE-2020-10672", "CVE-2020-10673", "CVE-2020-10683", "CVE-2020-10722", "CVE-2020-10723", "CVE-2020-10724", "CVE-2020-10725", "CVE-2020-10726", "CVE-2020-10878", "CVE-2020-10968", "CVE-2020-10969", "CVE-2020-11022", "CVE-2020-11023", "CVE-2020-11080", "CVE-2020-11111", "CVE-2020-11112", "CVE-2020-11113", "CVE-2020-11612", "CVE-2020-11619", "CVE-2020-11620", "CVE-2020-11655", "CVE-2020-11656", "CVE-2020-11971", "CVE-2020-11972", "CVE-2020-11973", "CVE-2020-11979", "CVE-2020-11984", "CVE-2020-11985", "CVE-2020-11993", "CVE-2020-11994", "CVE-2020-11996", "CVE-2020-11998", "CVE-2020-12723", "CVE-2020-13254", "CVE-2020-13596", "CVE-2020-13871", "CVE-2020-13934", "CVE-2020-13935", "CVE-2020-13954", "CVE-2020-14060", "CVE-2020-14061", "CVE-2020-14062", "CVE-2020-14147", "CVE-2020-14195", "CVE-2020-14422", "CVE-2020-14750", "CVE-2020-14756", "CVE-2020-14803", "CVE-2020-15025", "CVE-2020-15358", "CVE-2020-17498", "CVE-2020-17521", "CVE-2020-17530", "CVE-2020-1935", "CVE-2020-1938", "CVE-2020-1945", "CVE-2020-1967", "CVE-2020-1968", "CVE-2020-1971", "CVE-2020-24583", "CVE-2020-24584", "CVE-2020-24616", "CVE-2020-24750", "CVE-2020-25020", "CVE-2020-2555", "CVE-2020-25862", "CVE-2020-25863", "CVE-2020-25866", "CVE-2020-26575", "CVE-2020-27216", "CVE-2020-35460", "CVE-2020-5398", "CVE-2020-5407", "CVE-2020-5408", "CVE-2020-5421", "CVE-2020-7064", "CVE-2020-8172", "CVE-2020-8174", "CVE-2020-8265", "CVE-2020-8277", "CVE-2020-8287", "CVE-2020-9281", "CVE-2020-9327", "CVE-2020-9484", "CVE-2020-9488", "CVE-2020-9490", "CVE-2020-9546", "CVE-2020-9547", "CVE-2020-9548", "CVE-2021-1993", "CVE-2021-1994", "CVE-2021-1995", "CVE-2021-1996", "CVE-2021-1997", "CVE-2021-1998", "CVE-2021-1999", "CVE-2021-2000", "CVE-2021-2001", "CVE-2021-2002", "CVE-2021-2003", "CVE-2021-2004", "CVE-2021-2005", "CVE-2021-2006", "CVE-2021-2007", "CVE-2021-2009", "CVE-2021-2010", "CVE-2021-2011", "CVE-2021-2012", "CVE-2021-2013", "CVE-2021-2014", "CVE-2021-2015", "CVE-2021-2016", "CVE-2021-2017", "CVE-2021-2018", "CVE-2021-2019", "CVE-2021-2020", "CVE-2021-2021", "CVE-2021-2022", "CVE-2021-2023", "CVE-2021-2024", "CVE-2021-2025", "CVE-2021-2026", "CVE-2021-2027", "CVE-2021-2028", "CVE-2021-2029", "CVE-2021-2030", "CVE-2021-2031", "CVE-2021-2032", "CVE-2021-2033", "CVE-2021-2034", "CVE-2021-2035", "CVE-2021-2036", "CVE-2021-2038", "CVE-2021-2039", "CVE-2021-2040", "CVE-2021-2041", "CVE-2021-2042", "CVE-2021-2043", "CVE-2021-2044", "CVE-2021-2045", "CVE-2021-2046", "CVE-2021-2047", "CVE-2021-2048", "CVE-2021-2049", "CVE-2021-2050", "CVE-2021-2051", "CVE-2021-2052", "CVE-2021-2054", "CVE-2021-2055", "CVE-2021-2056", "CVE-2021-2057", "CVE-2021-2058", "CVE-2021-2059", "CVE-2021-2060", "CVE-2021-2061", "CVE-2021-2062", "CVE-2021-2063", "CVE-2021-2064", "CVE-2021-2065", "CVE-2021-2066", "CVE-2021-2067", "CVE-2021-2068", "CVE-2021-2069", "CVE-2021-2070", "CVE-2021-2071", "CVE-2021-2072", "CVE-2021-2073", "CVE-2021-2074", "CVE-2021-2075", "CVE-2021-2076", "CVE-2021-2077", "CVE-2021-2078", "CVE-2021-2079", "CVE-2021-2080", "CVE-2021-2081", "CVE-2021-2082", "CVE-2021-2083", "CVE-2021-2084", "CVE-2021-2085", "CVE-2021-2086", "CVE-2021-2087", "CVE-2021-2088", "CVE-2021-2089", "CVE-2021-2090", "CVE-2021-2091", "CVE-2021-2092", "CVE-2021-2093", "CVE-2021-2094", "CVE-2021-2096", "CVE-2021-2097", "CVE-2021-2098", "CVE-2021-2099", "CVE-2021-2100", "CVE-2021-2101", "CVE-2021-2102", "CVE-2021-2103", "CVE-2021-2104", "CVE-2021-2105", "CVE-2021-2106", "CVE-2021-2107", "CVE-2021-2108", "CVE-2021-2109", "CVE-2021-2110", "CVE-2021-2111", "CVE-2021-2112", "CVE-2021-2113", "CVE-2021-2114", "CVE-2021-2115", "CVE-2021-2116", "CVE-2021-2117", "CVE-2021-2118", "CVE-2021-2119", "CVE-2021-2120", "CVE-2021-2121", "CVE-2021-2122", "CVE-2021-2123", "CVE-2021-2124", "CVE-2021-2125", "CVE-2021-2126", "CVE-2021-2127", "CVE-2021-2128", "CVE-2021-2129", "CVE-2021-2130", "CVE-2021-2131"], "modified": "2021-02-22T00:00:00", "id": "ORACLE:CPUJAN2021", "href": "https://www.oracle.com/security-alerts/cpujan2021.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-12-13T15:22:10", "description": "A Critical Patch Update is a collection of patches for multiple security vulnerabilities. These patches address vulnerabilities in Oracle code and in third-party components included in Oracle products. These patches are usually cumulative, but each advisory describes only the security patches added since the previous Critical Patch Update Advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security patches. Refer to [\u201cCritical Patch Updates, Security Alerts and Bulletins\u201d](<https://www.oracle.com/security-alerts/>) for information about Oracle Security advisories. \n\n**Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update security patches without delay.**\n\nThis Critical Patch Update contains 370 new security patches across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at [ October 2022 Critical Patch Update: Executive Summary and Analysis](<https://support.oracle.com/rs?type=doc&id=2900500.1>).\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-10-18T00:00:00", "type": "oracle", "title": "Oracle Critical Patch Update Advisory - October 2022", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-1285", "CVE-2018-1311", "CVE-2018-18893", "CVE-2018-25032", "CVE-2018-5158", "CVE-2018-8032", "CVE-2019-0227", "CVE-2019-10086", "CVE-2019-10092", "CVE-2019-12415", "CVE-2019-1543", "CVE-2019-17195", "CVE-2019-17566", "CVE-2019-19956", "CVE-2019-20388", "CVE-2019-20838", "CVE-2019-2904", "CVE-2019-3855", "CVE-2019-3856", "CVE-2019-3857", "CVE-2019-3858", "CVE-2019-3859", "CVE-2019-3860", "CVE-2019-3861", "CVE-2019-3862", "CVE-2019-3863", "CVE-2020-10543", "CVE-2020-10650", "CVE-2020-10672", "CVE-2020-10673", "CVE-2020-10683", "CVE-2020-10878", "CVE-2020-10968", "CVE-2020-10969", "CVE-2020-11022", "CVE-2020-11023", "CVE-2020-11111", "CVE-2020-11112", "CVE-2020-11113", "CVE-2020-11987", "CVE-2020-12723", "CVE-2020-13936", "CVE-2020-13956", "CVE-2020-14155", "CVE-2020-14195", "CVE-2020-16856", "CVE-2020-16874", "CVE-2020-17521", "CVE-2020-1934", "CVE-2020-24977", "CVE-2020-25649", "CVE-2020-28052", "CVE-2020-29508", "CVE-2020-29582", "CVE-2020-35163", "CVE-2020-35164", "CVE-2020-35166", "CVE-2020-35167", "CVE-2020-35168", "CVE-2020-35169", "CVE-2020-36189", "CVE-2020-36518", "CVE-2020-5421", "CVE-2020-6950", "CVE-2020-7595", "CVE-2020-7712", "CVE-2020-9484", "CVE-2020-9492", "CVE-2020-9546", "CVE-2020-9547", "CVE-2020-9548", "CVE-2021-21290", "CVE-2021-21295", "CVE-2021-21409", "CVE-2021-21707", "CVE-2021-21708", "CVE-2021-21783", "CVE-2021-22118", "CVE-2021-22144", "CVE-2021-22946", "CVE-2021-22947", "CVE-2021-23450", "CVE-2021-2351", "CVE-2021-23926", "CVE-2021-25122", "CVE-2021-25329", "CVE-2021-26291", "CVE-2021-26690", "CVE-2021-26691", "CVE-2021-28163", "CVE-2021-28164", "CVE-2021-28165", "CVE-2021-28490", "CVE-2021-29425", "CVE-2021-30129", "CVE-2021-30639", "CVE-2021-31805", "CVE-2021-3426", "CVE-2021-34429", "CVE-2021-34798", "CVE-2021-3517", "CVE-2021-3518", "CVE-2021-3537", "CVE-2021-35515", "CVE-2021-35516", "CVE-2021-35517", "CVE-2021-3597", "CVE-2021-36090", "CVE-2021-36373", "CVE-2021-36374", "CVE-2021-36483", "CVE-2021-3737", "CVE-2021-38153", "CVE-2021-38604", "CVE-2021-3918", "CVE-2021-39275", "CVE-2021-4034", "CVE-2021-4048", "CVE-2021-40528", "CVE-2021-40690", "CVE-2021-4104", "CVE-2021-41182", "CVE-2021-41183", "CVE-2021-41184", "CVE-2021-41495", "CVE-2021-41496", "CVE-2021-4178", "CVE-2021-43396", "CVE-2021-43527", "CVE-2021-43797", "CVE-2021-43859", "CVE-2021-44228", "CVE-2021-44790", "CVE-2021-44832", "CVE-2022-0778", "CVE-2022-1154", "CVE-2022-1292", "CVE-2022-1586", "CVE-2022-1587", "CVE-2022-2047", "CVE-2022-2048", "CVE-2022-2068", "CVE-2022-2097", "CVE-2022-21123", "CVE-2022-21125", "CVE-2022-21127", "CVE-2022-21166", "CVE-2022-21540", "CVE-2022-21541", "CVE-2022-21549", "CVE-2022-21587", "CVE-2022-21589", "CVE-2022-21590", "CVE-2022-21591", "CVE-2022-21592", "CVE-2022-21593", "CVE-2022-21594", "CVE-2022-21595", "CVE-2022-21596", "CVE-2022-21597", "CVE-2022-21598", "CVE-2022-21599", "CVE-2022-21600", "CVE-2022-21601", "CVE-2022-21602", "CVE-2022-21603", "CVE-2022-21604", "CVE-2022-21605", "CVE-2022-21606", "CVE-2022-21607", "CVE-2022-21608", "CVE-2022-21609", "CVE-2022-21610", "CVE-2022-21611", "CVE-2022-21612", "CVE-2022-21613", "CVE-2022-21614", "CVE-2022-21615", "CVE-2022-21616", "CVE-2022-21617", "CVE-2022-21618", "CVE-2022-21619", "CVE-2022-21620", "CVE-2022-21621", "CVE-2022-21622", "CVE-2022-21623", "CVE-2022-21624", "CVE-2022-21625", "CVE-2022-21626", "CVE-2022-21627", "CVE-2022-21628", "CVE-2022-21629", "CVE-2022-21630", "CVE-2022-21631", "CVE-2022-21632", "CVE-2022-21633", "CVE-2022-21634", "CVE-2022-21635", "CVE-2022-21636", "CVE-2022-21637", "CVE-2022-21638", "CVE-2022-21639", "CVE-2022-21640", "CVE-2022-21641", "CVE-2022-2191", "CVE-2022-22720", "CVE-2022-22965", "CVE-2022-22968", "CVE-2022-22970", "CVE-2022-22971", "CVE-2022-22976", "CVE-2022-22978", "CVE-2022-23181", "CVE-2022-23218", "CVE-2022-23219", "CVE-2022-23302", "CVE-2022-23305", "CVE-2022-23307", "CVE-2022-23437", "CVE-2022-23457", "CVE-2022-23632", "CVE-2022-23943", "CVE-2022-23990", "CVE-2022-24675", "CVE-2022-24728", "CVE-2022-24729", "CVE-2022-24761", "CVE-2022-24785", "CVE-2022-24823", "CVE-2022-24891", "CVE-2022-25169", "CVE-2022-25235", "CVE-2022-25236", "CVE-2022-25313", "CVE-2022-25314", "CVE-2022-25315", "CVE-2022-25647", "CVE-2022-25857", "CVE-2022-26377", "CVE-2022-27778", "CVE-2022-27779", "CVE-2022-27780", "CVE-2022-27781", "CVE-2022-27782", "CVE-2022-28327", "CVE-2022-28330", "CVE-2022-28614", "CVE-2022-28615", "CVE-2022-29404", "CVE-2022-29577", "CVE-2022-29824", "CVE-2022-29885", "CVE-2022-30115", "CVE-2022-30126", "CVE-2022-30522", "CVE-2022-30556", "CVE-2022-31129", "CVE-2022-31813", "CVE-2022-32205", "CVE-2022-32206", "CVE-2022-32207", "CVE-2022-32208", "CVE-2022-32212", "CVE-2022-32213", "CVE-2022-32214", "CVE-2022-32215", "CVE-2022-32222", "CVE-2022-32223", "CVE-2022-32532", "CVE-2022-33879", "CVE-2022-33980", "CVE-2022-34169", "CVE-2022-34305", "CVE-2022-35255", "CVE-2022-35256", "CVE-2022-35737", "CVE-2022-36033", "CVE-2022-38749", "CVE-2022-38750", "CVE-2022-38751", "CVE-2022-38752", "CVE-2022-39399", "CVE-2022-39400", "CVE-2022-39401", "CVE-2022-39402", "CVE-2022-39403", "CVE-2022-39404", "CVE-2022-39405", "CVE-2022-39406", "CVE-2022-39407", "CVE-2022-39408", "CVE-2022-39409", "CVE-2022-39410", "CVE-2022-39411", "CVE-2022-39412", "CVE-2022-39417", "CVE-2022-39419", "CVE-2022-39420", "CVE-2022-39421", "CVE-2022-39422", "CVE-2022-39423", "CVE-2022-39424", "CVE-2022-39425", "CVE-2022-39426", "CVE-2022-39427", "CVE-2022-39428"], "modified": "2022-12-12T00:00:00", "id": "ORACLE:CPUOCT2022", "href": "https://www.oracle.com/security-alerts/cpuoct2022.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-10-22T15:44:17", "description": "A Critical Patch Update is a collection of patches for multiple security vulnerabilities. These patches address vulnerabilities in Oracle code and in third-party components included in Oracle products. These patches are usually cumulative, but each advisory describes only the security patches added since the previous Critical Patch Update Advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security patches. Refer to [\u201cCritical Patch Updates, Security Alerts and Bulletins\u201d](<https://www.oracle.com/security-alerts/>) for information about Oracle Security advisories. \n\n**Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update security patches without delay.**\n\nThis Critical Patch Update contains 342 new security patches across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at [ July 2021 Critical Patch Update: Executive Summary and Analysis](<https://support.oracle.com/rs?type=doc&id=2788740.1>).\n", "edition": 1, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-07-20T00:00:00", "type": "oracle", "title": "Oracle Critical Patch Update Advisory - July 2021", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-29582", "CVE-2021-2389", "CVE-2020-11612", "CVE-2020-26217", "CVE-2020-27783", "CVE-2021-26272", "CVE-2020-7017", "CVE-2018-15686", "CVE-2021-2339", "CVE-2020-12723", "CVE-2021-30369", "CVE-2021-2423", "CVE-2017-16931", "CVE-2017-9735", "CVE-2021-2441", "CVE-2021-25122", "CVE-2021-2402", "CVE-2020-28928", "CVE-2020-11023", "CVE-2021-2340", "CVE-2020-7712", "CVE-2020-28196", "CVE-2021-2354", "CVE-2020-9484", "CVE-2021-2362", "CVE-2019-16942", "CVE-2021-2357", "CVE-2019-11358", "CVE-2021-22884", "CVE-2021-2407", "CVE-2021-2244", "CVE-2019-15605", "CVE-2020-36184", "CVE-2020-27841", "CVE-2021-22897", "CVE-2021-27807", "CVE-2021-2371", "CVE-2021-2406", "CVE-2021-3177", "CVE-2019-17545", "CVE-2019-17195", "CVE-2021-21341", "CVE-2012-0881", "CVE-2021-2463", "CVE-2020-13935", "CVE-2021-2450", "CVE-2020-11022", "CVE-2021-2400", "CVE-2017-7657", "CVE-2021-2457", "CVE-2021-20227", "CVE-2021-2409", "CVE-2021-2437", "CVE-2020-10683", "CVE-2019-3740", "CVE-2020-14756", "CVE-2019-0210", "CVE-2020-8554", "CVE-2021-2334", "CVE-2019-0190", "CVE-2021-3449", "CVE-2021-2456", "CVE-2020-35728", "CVE-2017-3735", "CVE-2019-3738", "CVE-2021-2419", "CVE-2020-17527", "CVE-2017-7658", "CVE-2021-28041", "CVE-2021-26117", "CVE-2020-5413", "CVE-2020-36182", "CVE-2020-27845", "CVE-2021-2428", "CVE-2019-17566", "CVE-2021-2324", "CVE-2020-8284", "CVE-2021-2388", "CVE-2021-2367", "CVE-2019-10086", "CVE-2021-2458", "CVE-2020-27844", "CVE-2020-26870", "CVE-2021-2435", "CVE-2021-21349", "CVE-2021-2366", "CVE-2020-36181", "CVE-2021-3520", "CVE-2021-3156", "CVE-2021-21348", "CVE-2021-2382", "CVE-2020-11973", "CVE-2021-2431", "CVE-2019-16943", "CVE-2021-2373", "CVE-2020-8174", "CVE-2020-5421", "CVE-2020-28052", "CVE-2019-13990", "CVE-2021-21350", "CVE-2021-2433", "CVE-2021-23336", "CVE-2020-7016", "CVE-2019-5063", "CVE-2021-21342", "CVE-2020-17530", "CVE-2021-2393", "CVE-2019-3739", "CVE-2020-36186", "CVE-2020-1968", "CVE-2020-10543", "CVE-2020-13949", "CVE-2021-2425", "CVE-2019-10746", "CVE-2019-2897", "CVE-2021-21344", "CVE-2016-0762", "CVE-2021-2429", "CVE-2021-3450", "CVE-2021-23840", "CVE-2021-2434", "CVE-2020-14061", "CVE-2020-15389", "CVE-2021-2411", "CVE-2021-2412", "CVE-2021-22890", "CVE-2021-2408", "CVE-2020-5258", "CVE-2021-2452", "CVE-2021-2394", "CVE-2021-26271", "CVE-2020-27216", "CVE-2021-2374", "CVE-2020-11998", "CVE-2021-2422", "CVE-2021-2341", "CVE-2020-7760", "CVE-2021-22876", "CVE-2020-11979", "CVE-2021-23839", "CVE-2020-27842", "CVE-2021-2323", "CVE-2020-2604", "CVE-2021-2446", "CVE-2021-2449", "CVE-2021-2356", "CVE-2018-7160", "CVE-2019-0201", "CVE-2021-2363", "CVE-2020-17521", "CVE-2021-27568", "CVE-2018-7183", "CVE-2021-2380", "CVE-2021-2448", "CVE-2020-27814", "CVE-2021-2395", "CVE-2021-21409", "CVE-2021-2347", "CVE-2019-17531", "CVE-2020-8285", "CVE-2020-1945", "CVE-2020-1941", "CVE-2020-11868", "CVE-2021-2330", "CVE-2021-20190", "CVE-2021-2410", "CVE-2018-0739", "CVE-2021-2364", "CVE-2019-12973", "CVE-2021-2349", "CVE-2019-15606", "CVE-2021-2455", "CVE-2020-36185", "CVE-2020-1971", "CVE-2021-2370", "CVE-2020-25649", "CVE-2021-3560", "CVE-2021-21346", "CVE-2021-2328", "CVE-2021-2387", "CVE-2020-11988", "CVE-2021-22118", "CVE-2020-11987", "CVE-2021-2365", "CVE-2021-21345", "CVE-2021-22898", "CVE-2021-2444", "CVE-2021-2453", "CVE-2020-35490", "CVE-2016-4429", "CVE-2021-3345", "CVE-2020-36188", "CVE-2020-36180", "CVE-2021-2372", "CVE-2021-2359", "CVE-2021-2462", "CVE-2021-24122", "CVE-2017-5637", "CVE-2021-2397", "CVE-2019-0228", "CVE-2021-2427", "CVE-2019-17543", "CVE-2021-2439", "CVE-2017-7656", "CVE-2021-2353", "CVE-2021-2335", "CVE-2021-29921", "CVE-2021-2447", "CVE-2020-8203", "CVE-2021-2345", "CVE-2021-2398", "CVE-2020-9489", "CVE-2020-24616", "CVE-2021-2424", "CVE-2021-2420", "CVE-2020-5397", "CVE-2021-2355", "CVE-2021-2375", "CVE-2021-21351", "CVE-2020-36187", "CVE-2021-2430", "CVE-2021-2405", "CVE-2021-30640", "CVE-2021-2385", "CVE-2021-2445", "CVE-2021-2438", "CVE-2020-24750", "CVE-2020-8277", "CVE-2021-2384", "CVE-2020-35491", "CVE-2021-2337", "CVE-2021-23841", "CVE-2021-2404", "CVE-2020-13934", "CVE-2019-12402", "CVE-2021-2326", "CVE-2021-2343", "CVE-2017-14735", "CVE-2020-27218", "CVE-2021-2358", "CVE-2019-15604", "CVE-2019-2725", "CVE-2021-33037", "CVE-2021-2377", "CVE-2020-1967", "CVE-2020-8286", "CVE-2021-2436", "CVE-2020-27193", "CVE-2021-2342", "CVE-2021-2440", "CVE-2021-2399", "CVE-2021-2352", "CVE-2021-2329", "CVE-2020-36183", "CVE-2021-2426", "CVE-2021-2396", "CVE-2021-2346", "CVE-2021-2338", "CVE-2021-21275", "CVE-2021-2432", "CVE-2017-5461", "CVE-2021-2368", "CVE-2021-2350", "CVE-2015-0254", "CVE-2019-12415", "CVE-2020-7733", "CVE-2021-2418", "CVE-2020-5398", "CVE-2021-2378", "CVE-2020-25648", "CVE-2021-2351", "CVE-2021-2360", "CVE-2021-2333", "CVE-2021-31811", "CVE-2021-2417", "CVE-2019-5064", "CVE-2020-14060", "CVE-2019-0205", "CVE-2018-0737", "CVE-2020-36189", "CVE-2019-12399", "CVE-2021-22112", "CVE-2020-36179", "CVE-2020-27843", "CVE-2020-13956", "CVE-2020-14062", "CVE-2021-21347", "CVE-2021-25329", "CVE-2021-2403", "CVE-2021-2421", "CVE-2021-21343", "CVE-2021-2336", "CVE-2021-2369", "CVE-2021-2376", "CVE-2020-10878", "CVE-2019-10173", "CVE-2021-27906", "CVE-2020-8908", "CVE-2021-2451", "CVE-2021-2383", "CVE-2021-2454", "CVE-2021-2390", "CVE-2021-2415", "CVE-2021-2381", "CVE-2021-22883", "CVE-2021-2443", "CVE-2019-0219", "CVE-2020-14195", "CVE-2020-2555", "CVE-2019-20330", "CVE-2021-21290", "CVE-2021-2460", "CVE-2019-2729", "CVE-2021-22901", "CVE-2021-2442", "CVE-2021-2344", "CVE-2021-2401", "CVE-2020-25638", "CVE-2020-24553", "CVE-2021-2386", "CVE-2021-2392", "CVE-2021-2361", "CVE-2021-2348", "CVE-2018-21010", "CVE-2019-12260", "CVE-2021-2391"], "modified": "2021-09-03T00:00:00", "id": "ORACLE:CPUJUL2021", "href": "https://www.oracle.com/security-alerts/cpujul2021.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-10-22T15:44:16", "description": "A Critical Patch Update is a collection of patches for multiple security vulnerabilities. These patches address vulnerabilities in Oracle code and in third-party components included in Oracle products. These patches are usually cumulative, but each advisory describes only the security patches added since the previous Critical Patch Update Advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security patches. Refer to [\u201cCritical Patch Updates, Security Alerts and Bulletins\u201d](<https://www.oracle.com/security-alerts/>) for information about Oracle Security advisories. \n\n**Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update security patches without delay.**\n\nThis Critical Patch Update contains 391 new security patches across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at [ April 2021 Critical Patch Update: Executive Summary and Analysis](<https://support.oracle.com/rs?type=doc&id=2765149.1>).\n", "edition": 1, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-04-20T00:00:00", "type": "oracle", "title": "Oracle Critical Patch Update Advisory - April 2021", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-2288", "CVE-2021-2271", "CVE-2021-2204", "CVE-2020-11612", "CVE-2020-26217", "CVE-2021-2163", "CVE-2021-2188", "CVE-2020-12723", "CVE-2019-5108", "CVE-2021-2276", "CVE-2021-2302", "CVE-2021-2297", "CVE-2021-2247", "CVE-2021-2231", "CVE-2019-12086", "CVE-2020-16166", "CVE-2021-2218", "CVE-2021-2207", "CVE-2021-2153", "CVE-2021-2239", "CVE-2021-2310", "CVE-2020-16845", "CVE-2021-2235", "CVE-2016-7103", "CVE-2019-15218", "CVE-2019-12423", "CVE-2021-2175", "CVE-2021-2278", "CVE-2018-1000180", "CVE-2019-10247", "CVE-2021-2189", "CVE-2020-11023", "CVE-2021-2152", "CVE-2021-2311", "CVE-2021-2147", "CVE-2021-2198", "CVE-2020-13434", "CVE-2020-28196", "CVE-2020-9484", "CVE-2019-16942", "CVE-2021-2201", "CVE-2021-2220", "CVE-2020-1927", "CVE-2019-10098", "CVE-2021-2134", "CVE-2019-11358", "CVE-2021-22884", "CVE-2019-3900", "CVE-2021-2244", "CVE-2020-36184", "CVE-2019-10080", "CVE-2020-27841", "CVE-2020-14039", "CVE-2020-5408", "CVE-2021-2183", "CVE-2021-2212", "CVE-2018-14550", "CVE-2019-17195", "CVE-2021-2169", "CVE-2021-2301", "CVE-2020-13935", "CVE-2020-9480", "CVE-2020-11022", "CVE-2021-2191", "CVE-2021-2182", "CVE-2021-2307", "CVE-2021-2208", "CVE-2021-20227", "CVE-2021-2234", "CVE-2020-7919", "CVE-2020-10683", "CVE-2019-3740", "CVE-2021-2149", "CVE-2021-2225", "CVE-2021-3449", "CVE-2019-10639", "CVE-2021-2210", "CVE-2020-35728", "CVE-2021-2270", "CVE-2021-2221", "CVE-2021-2253", "CVE-2019-3738", "CVE-2019-17638", "CVE-2021-2292", "CVE-2021-2251", "CVE-2020-17527", "CVE-2016-5725", "CVE-2019-7317", "CVE-2020-11994", "CVE-2020-26419", "CVE-2021-2151", "CVE-2021-2242", "CVE-2019-12419", "CVE-2020-5413", "CVE-2019-8331", "CVE-2021-2162", "CVE-2020-36182", "CVE-2020-5407", "CVE-2019-1241", "CVE-2020-27845", "CVE-2021-2300", "CVE-2020-24394", "CVE-2019-19052", "CVE-2019-17566", "CVE-2021-2154", "CVE-2019-3773", "CVE-2020-8284", "CVE-2020-12114", "CVE-2021-2180", "CVE-2020-13954", "CVE-2019-10086", "CVE-2017-12626", "CVE-2020-27844", "CVE-2021-2249", "CVE-2019-17571", "CVE-2021-2284", "CVE-2021-2226", "CVE-2021-2158", "CVE-2017-18640", "CVE-2021-2230", "CVE-2020-36181", "CVE-2021-2250", "CVE-2021-2205", "CVE-2021-2144", "CVE-2021-22191", "CVE-2021-2053", "CVE-2021-2214", "CVE-2020-11973", "CVE-2021-2318", "CVE-2020-10188", "CVE-2020-11656", "CVE-2020-26421", "CVE-2021-2266", "CVE-2021-2181", "CVE-2018-8032", "CVE-2020-5421", "CVE-2021-2140", "CVE-2021-2211", "CVE-2020-28052", "CVE-2020-5360", "CVE-2021-2308", "CVE-2021-2303", "CVE-2019-19922", "CVE-2021-2282", "CVE-2021-23336", "CVE-2021-2298", "CVE-2019-5063", "CVE-2020-17530", "CVE-2019-3739", "CVE-2020-36186", "CVE-2020-1968", "CVE-2020-10543", "CVE-2019-0232", "CVE-2020-7069", "CVE-2021-2195", "CVE-2020-9327", "CVE-2018-14042", "CVE-2021-2305", "CVE-2021-2295", "CVE-2020-1472", "CVE-2021-2136", "CVE-2020-5359", "CVE-2021-3450", "CVE-2018-1285", "CVE-2021-23840", "CVE-2021-2167", "CVE-2020-26420", "CVE-2020-14061", "CVE-2021-2316", "CVE-2019-19078", "CVE-2019-0233", "CVE-2021-2238", "CVE-2021-2268", "CVE-2021-2321", "CVE-2019-17495", "CVE-2020-7774", "CVE-2021-2245", "CVE-2020-27216", "CVE-2020-11998", "CVE-2020-10769", "CVE-2020-9281", "CVE-2020-7760", "CVE-2021-2166", "CVE-2021-2272", "CVE-2019-0230", "CVE-2020-11979", "CVE-2019-3874", "CVE-2021-23839", "CVE-2020-27842", "CVE-2021-2287", "CVE-2021-2237", "CVE-2020-26422", "CVE-2021-2264", "CVE-2021-2160", "CVE-2018-14041", "CVE-2021-2291", "CVE-2020-17521", "CVE-2021-2155", "CVE-2021-2173", "CVE-2021-2293", "CVE-2019-17075", "CVE-2021-2315", "CVE-2021-2277", "CVE-2021-2317", "CVE-2021-22174", "CVE-2019-20812", "CVE-2021-2229", "CVE-2021-2216", "CVE-2021-2259", "CVE-2021-2194", "CVE-2019-16746", "CVE-2019-19535", "CVE-2020-8285", "CVE-2021-2320", "CVE-2020-1945", "CVE-2021-2190", "CVE-2020-1941", "CVE-2021-2273", "CVE-2021-2312", "CVE-2020-36185", "CVE-2020-1971", "CVE-2020-25649", "CVE-2019-11599", "CVE-2021-2199", "CVE-2019-12406", "CVE-2019-5428", "CVE-2020-11987", "CVE-2021-2219", "CVE-2018-1000613", "CVE-2019-19063", "CVE-2021-2285", "CVE-2021-21345", "CVE-2020-11655", "CVE-2021-2314", "CVE-2021-2241", "CVE-2021-2269", "CVE-2020-35490", "CVE-2021-2200", "CVE-2021-2179", "CVE-2020-36188", "CVE-2020-36180", "CVE-2021-2192", "CVE-2021-2309", "CVE-2021-2159", "CVE-2021-2156", "CVE-2021-2186", "CVE-2020-13943", "CVE-2021-2202", "CVE-2020-13435", "CVE-2019-19066", "CVE-2021-2281", "CVE-2021-2283", "CVE-2019-0228", "CVE-2020-9488", "CVE-2021-2222", "CVE-2019-17632", "CVE-2021-2184", "CVE-2021-2296", "CVE-2020-10751", "CVE-2021-2187", "CVE-2021-2008", "CVE-2018-16884", "CVE-2020-8203", "CVE-2018-14040", "CVE-2020-7059", "CVE-2019-10638", "CVE-2021-2304", "CVE-2019-18885", "CVE-2020-9489", "CVE-2021-2224", "CVE-2020-24616", "CVE-2021-2279", "CVE-2020-26418", "CVE-2021-2185", "CVE-2020-36187", "CVE-2021-2170", "CVE-2021-2161", "CVE-2021-2246", "CVE-2021-2223", "CVE-2020-24750", "CVE-2021-2227", "CVE-2020-8277", "CVE-2019-11487", "CVE-2021-2319", "CVE-2021-2135", "CVE-2021-2146", "CVE-2021-2261", "CVE-2021-2280", "CVE-2020-35491", "CVE-2021-2145", "CVE-2021-2150", "CVE-2021-2236", "CVE-2019-2904", "CVE-2021-23841", "CVE-2021-2215", "CVE-2021-22173", "CVE-2020-13934", "CVE-2019-12402", "CVE-2017-14735", "CVE-2019-10072", "CVE-2019-14898", "CVE-2017-1000061", "CVE-2020-27218", "CVE-2021-2240", "CVE-2021-2141", "CVE-2020-7060", "CVE-2021-2203", "CVE-2021-2260", "CVE-2021-2196", "CVE-2018-1000632", "CVE-2020-1967", "CVE-2021-2274", "CVE-2020-8286", "CVE-2021-2255", "CVE-2019-19073", "CVE-2021-2213", "CVE-2021-2193", "CVE-2020-27193", "CVE-2021-2256", "CVE-2020-27223", "CVE-2017-5645", "CVE-2020-15358", "CVE-2021-2252", "CVE-2018-20843", "CVE-2021-2177", "CVE-2020-36183", "CVE-2021-2171", "CVE-2019-17573", "CVE-2021-2217", "CVE-2021-2290", "CVE-2021-2254", "CVE-2021-2299", "CVE-2021-2267", "CVE-2021-2275", "CVE-2019-19074", "CVE-2019-12415", "CVE-2020-5398", "CVE-2021-2164", "CVE-2021-2262", "CVE-2021-2142", "CVE-2019-5064", "CVE-2020-14060", "CVE-2020-36189", "CVE-2021-2206", "CVE-2021-2258", "CVE-2019-12399", "CVE-2020-12771", "CVE-2021-22112", "CVE-2020-36179", "CVE-2021-2306", "CVE-2020-27843", "CVE-2020-13956", "CVE-2020-14062", "CVE-2021-2172", "CVE-2020-10878", "CVE-2019-10246", "CVE-2019-10173", "CVE-2020-8908", "CVE-2020-15586", "CVE-2019-14379", "CVE-2020-13871", "CVE-2021-2263", "CVE-2021-2197", "CVE-2021-22883", "CVE-2019-0219", "CVE-2021-2209", "CVE-2020-14195", "CVE-2021-2286", "CVE-2021-2157", "CVE-2021-2289", "CVE-2019-0227", "CVE-2021-2248", "CVE-2021-21290", "CVE-2021-2228", "CVE-2019-0221", "CVE-2021-2232", "CVE-2021-2257", "CVE-2021-2178", "CVE-2021-2294", "CVE-2019-17133", "CVE-2021-2174", "CVE-2021-2233", "CVE-2016-2542", "CVE-2019-1551", "CVE-2020-24553", "CVE-2018-14613"], "modified": "2021-09-04T00:00:00", "id": "ORACLE:CPUAPR2021", "href": "https://www.oracle.com/security-alerts/cpuapr2021.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-14T23:28:54", "description": "A Critical Patch Update is a collection of patches for multiple security vulnerabilities. These patches address vulnerabilities in Oracle code and in third-party components included in Oracle products. These patches are usually cumulative, but each advisory describes only the security patches added since the previous Critical Patch Update Advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security patches. Refer to [\u201cCritical Patch Updates, Security Alerts and Bulletins\u201d](<https://www.oracle.com/security-alerts/>) for information about Oracle Security advisories. \n\n**Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update security patches without delay.**\n\nThis Critical Patch Update contains 497 new security patches across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at [ January 2022 Critical Patch Update: Executive Summary and Analysis](<https://support.oracle.com/rs?type=doc&id=2832416.1>).\n\n**Please note that on December 10, 2021, Oracle released a Security Alert for Apache Log4j vulnerabilities [CVE-2021-44228 and CVE-2021-45046](<https://www.oracle.com/security-alerts/alert-cve-2021-44228.html>). Customers should review the Alert if they have not already done so.**\n", "edition": 1, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-18T00:00:00", "type": "oracle", "title": "Oracle Critical Patch Update Advisory - January 2022", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-29582", "CVE-2022-21353", "CVE-2022-23302", "CVE-2022-21259", "CVE-2022-21267", "CVE-2021-36090", "CVE-2020-12723", "CVE-2022-21328", "CVE-2021-42575", "CVE-2021-41164", "CVE-2021-30369", "CVE-2022-21275", "CVE-2021-39145", "CVE-2022-21356", "CVE-2022-21243", "CVE-2021-25122", "CVE-2022-21253", "CVE-2021-3448", "CVE-2016-7103", "CVE-2021-39148", "CVE-2022-21399", "CVE-2020-11023", "CVE-2021-28163", "CVE-2020-7712", "CVE-2020-9484", "CVE-2022-21258", "CVE-2022-21251", "CVE-2020-14340", "CVE-2019-11358", "CVE-2022-21244", "CVE-2022-21296", "CVE-2020-36184", "CVE-2022-21282", "CVE-2021-22897", "CVE-2022-21395", "CVE-2022-21367", "CVE-2021-36160", "CVE-2021-32013", "CVE-2022-21354", "CVE-2021-2371", "CVE-2021-3177", "CVE-2021-44832", "CVE-2022-21358", "CVE-2021-26691", "CVE-2020-13935", "CVE-2022-23305", "CVE-2021-32012", "CVE-2020-11022", "CVE-2022-21278", "CVE-2022-21273", "CVE-2022-21389", "CVE-2022-21346", "CVE-2020-10683", "CVE-2021-44228", "CVE-2022-21345", "CVE-2020-14756", "CVE-2022-21374", "CVE-2022-21316", "CVE-2021-3517", "CVE-2020-8554", "CVE-2022-21364", "CVE-2021-22931", "CVE-2021-3712", "CVE-2020-35728", "CVE-2021-39146", "CVE-2020-17527", "CVE-2022-21247", "CVE-2021-30639", "CVE-2021-23440", "CVE-2022-21256", "CVE-2022-21397", "CVE-2022-21362", "CVE-2022-21265", "CVE-2021-32014", "CVE-2021-35516", "CVE-2021-45105", "CVE-2021-22939", "CVE-2020-36182", "CVE-2022-21276", "CVE-2021-32827", "CVE-2021-2428", "CVE-2019-17566", "CVE-2021-21705", "CVE-2021-22947", "CVE-2022-21355", "CVE-2021-22959", "CVE-2020-8284", "CVE-2022-21280", "CVE-2021-29425", "CVE-2022-21252", "CVE-2019-10219", "CVE-2019-10086", "CVE-2022-21295", "CVE-2022-21359", "CVE-2022-21257", "CVE-2021-39147", "CVE-2022-21339", "CVE-2021-39140", "CVE-2020-15824", "CVE-2021-39154", "CVE-2022-21400", "CVE-2022-21303", "CVE-2022-21314", "CVE-2022-21308", "CVE-2020-36181", "CVE-2022-21373", "CVE-2021-22925", "CVE-2022-21309", "CVE-2022-21294", "CVE-2022-21313", "CVE-2022-21333", "CVE-2022-21299", "CVE-2021-33560", "CVE-2022-21285", "CVE-2022-21297", "CVE-2022-21325", "CVE-2022-21283", "CVE-2020-5421", "CVE-2022-21255", "CVE-2022-21322", "CVE-2020-28052", "CVE-2022-21394", "CVE-2021-34798", "CVE-2022-21326", "CVE-2021-43395", "CVE-2022-21301", "CVE-2021-23336", "CVE-2022-21289", "CVE-2020-17530", "CVE-2021-32723", "CVE-2021-35517", "CVE-2022-21306", "CVE-2020-36186", "CVE-2020-10543", "CVE-2020-13949", "CVE-2022-21386", "CVE-2022-21242", "CVE-2018-1324", "CVE-2022-21388", "CVE-2022-21334", "CVE-2021-33909", "CVE-2022-21398", "CVE-2022-21270", "CVE-2020-14642", "CVE-2021-3326", "CVE-2022-21366", "CVE-2022-21342", "CVE-2021-32809", "CVE-2021-23840", "CVE-2022-21248", "CVE-2019-13734", "CVE-2022-21341", "CVE-2021-39153", "CVE-2022-21372", "CVE-2020-5258", "CVE-2022-21365", "CVE-2019-17495", "CVE-2022-21305", "CVE-2021-39152", "CVE-2022-21382", "CVE-2022-21352", "CVE-2020-28469", "CVE-2020-9281", "CVE-2022-21246", "CVE-2021-38153", "CVE-2020-11979", "CVE-2022-21370", "CVE-2021-39150", "CVE-2021-34429", "CVE-2021-29923", "CVE-2022-21291", "CVE-2021-41773", "CVE-2020-17521", "CVE-2022-21338", "CVE-2021-27568", "CVE-2022-21272", "CVE-2022-21378", "CVE-2021-37137", "CVE-2022-21391", "CVE-2021-2277", "CVE-2022-21375", "CVE-2022-21300", "CVE-2021-36373", "CVE-2021-35043", "CVE-2022-21381", "CVE-2021-21409", "CVE-2022-21245", "CVE-2021-3541", "CVE-2022-21260", "CVE-2022-21323", "CVE-2022-21369", "CVE-2021-41524", "CVE-2022-21387", "CVE-2022-21402", "CVE-2021-36690", "CVE-2020-8285", "CVE-2020-1945", "CVE-2022-21350", "CVE-2022-21290", "CVE-2022-21304", "CVE-2021-36221", "CVE-2022-21330", "CVE-2021-32808", "CVE-2021-35683", "CVE-2021-3426", "CVE-2020-36185", "CVE-2020-25649", "CVE-2022-21320", "CVE-2022-21288", "CVE-2020-2934", "CVE-2021-31812", "CVE-2022-21371", "CVE-2022-21349", "CVE-2021-22118", "CVE-2022-21266", "CVE-2020-11987", "CVE-2021-22898", "CVE-2022-21307", "CVE-2022-21271", "CVE-2022-21310", "CVE-2022-21279", "CVE-2022-21377", "CVE-2021-31684", "CVE-2022-21340", "CVE-2021-35687", "CVE-2020-35490", "CVE-2022-21277", "CVE-2022-21401", "CVE-2021-28164", "CVE-2021-3711", "CVE-2020-36188", "CVE-2020-36180", "CVE-2021-39139", "CVE-2022-21286", "CVE-2021-3634", "CVE-2021-33193", "CVE-2021-42013", "CVE-2021-44224", "CVE-2020-13936", "CVE-2022-21368", "CVE-2022-21287", "CVE-2022-21293", "CVE-2022-21392", "CVE-2022-21312", "CVE-2021-40438", "CVE-2021-22940", "CVE-2021-29921", "CVE-2020-8203", "CVE-2022-21274", "CVE-2022-21363", "CVE-2022-21376", "CVE-2022-21292", "CVE-2020-24616", "CVE-2022-21250", "CVE-2020-13817", "CVE-2022-21344", "CVE-2020-36187", "CVE-2022-21264", "CVE-2021-22946", "CVE-2022-21249", "CVE-2021-30640", "CVE-2022-21284", "CVE-2022-21317", "CVE-2021-28169", "CVE-2020-24750", "CVE-2022-21269", "CVE-2021-37136", "CVE-2022-21336", "CVE-2022-21348", "CVE-2022-21396", "CVE-2021-44790", "CVE-2022-21379", "CVE-2022-21324", "CVE-2020-35491", "CVE-2022-21361", "CVE-2021-22924", "CVE-2021-35587", "CVE-2022-21262", "CVE-2020-13934", "CVE-2022-21254", "CVE-2021-21783", "CVE-2021-35515", "CVE-2022-21281", "CVE-2018-11771", "CVE-2021-28165", "CVE-2019-17091", "CVE-2022-21329", "CVE-2022-21321", "CVE-2021-33037", "CVE-2021-22926", "CVE-2022-21332", "CVE-2021-35684", "CVE-2021-35686", "CVE-2022-21327", "CVE-2021-36374", "CVE-2021-35685", "CVE-2022-21383", "CVE-2021-33880", "CVE-2021-39149", "CVE-2022-21403", "CVE-2020-27618", "CVE-2022-21298", "CVE-2022-21318", "CVE-2022-21302", "CVE-2021-37695", "CVE-2020-36183", "CVE-2022-21380", "CVE-2021-39144", "CVE-2022-21360", "CVE-2021-39151", "CVE-2022-21319", "CVE-2021-39275", "CVE-2021-3516", "CVE-2021-34558", "CVE-2022-21337", "CVE-2021-2351", "CVE-2022-21357", "CVE-2020-6950", "CVE-2020-28500", "CVE-2022-21331", "CVE-2021-31811", "CVE-2021-23017", "CVE-2020-36189", "CVE-2022-21315", "CVE-2020-36179", "CVE-2022-21351", "CVE-2020-13956", "CVE-2022-21268", "CVE-2021-25329", "CVE-2022-23307", "CVE-2022-21390", "CVE-2021-42340", "CVE-2021-4104", "CVE-2021-22960", "CVE-2022-21347", "CVE-2021-34428", "CVE-2020-10878", "CVE-2020-8908", "CVE-2021-21703", "CVE-2022-21393", "CVE-2021-22119", "CVE-2021-41165", "CVE-2021-45046", "CVE-2022-21311", "CVE-2022-21263", "CVE-2021-37714", "CVE-2021-39141", "CVE-2018-1311", "CVE-2021-23337", "CVE-2021-22901", "CVE-2022-21261", "CVE-2021-2344", "CVE-2020-8177", "CVE-2022-21335", "CVE-2021-20718", "CVE-2021-29505"], "modified": "2022-03-14T00:00:00", "id": "ORACLE:CPUJAN2022", "href": "https://www.oracle.com/security-alerts/cpujan2022.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-19T11:29:27", "description": "A Critical Patch Update is a collection of patches for multiple security vulnerabilities. These patches address vulnerabilities in Oracle code and in third-party components included in Oracle products. These patches are usually cumulative, but each advisory describes only the security patches added since the previous Critical Patch Update Advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security patches. Refer to [\u201cCritical Patch Updates, Security Alerts and Bulletins\u201d](<https://www.oracle.com/security-alerts/>) for information about Oracle Security advisories. \n\n**Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update security patches without delay.**\n\nThis Critical Patch Update contains 419 new security patches across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at [ October 2021 Critical Patch Update: Executive Summary and Analysis](<https://support.oracle.com/rs?type=doc&id=2809080.1>).\n", "edition": 1, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-10-19T00:00:00", "type": "oracle", "title": "Oracle Critical Patch Update Advisory - October 2021", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3522", "CVE-2021-35577", "CVE-2020-26217", "CVE-2021-35537", "CVE-2021-35595", "CVE-2021-22222", "CVE-2021-35628", "CVE-2021-26272", "CVE-2021-36090", "CVE-2021-35642", "CVE-2020-12723", "CVE-2021-2484", "CVE-2021-30369", "CVE-2016-6796", "CVE-2021-2481", "CVE-2021-25122", "CVE-2020-11112", "CVE-2021-35649", "CVE-2021-35620", "CVE-2020-28928", "CVE-2020-26116", "CVE-2021-35553", "CVE-2020-11023", "CVE-2021-35616", "CVE-2021-28163", "CVE-2021-35625", "CVE-2021-35594", "CVE-2021-35643", "CVE-2020-9484", "CVE-2021-2478", "CVE-2021-35618", "CVE-2021-3518", "CVE-2021-35586", "CVE-2021-35651", "CVE-2021-35604", "CVE-2019-11358", "CVE-2021-35536", "CVE-2021-22884", "CVE-2021-35580", "CVE-2020-36184", "CVE-2021-39134", "CVE-2021-31618", "CVE-2021-27807", "CVE-2021-35538", "CVE-2021-35656", "CVE-2021-3177", "CVE-2021-35636", "CVE-2018-1275", "CVE-2021-35645", "CVE-2021-35612", "CVE-2018-14550", "CVE-2019-17195", "CVE-2021-26691", "CVE-2021-35561", "CVE-2021-35666", "CVE-2021-21341", "CVE-2021-35641", "CVE-2021-35634", "CVE-2020-13950", "CVE-2020-11022", "CVE-2021-35609", "CVE-2016-2183", "CVE-2021-35543", "CVE-2021-20227", "CVE-2021-35633", "CVE-2021-22923", "CVE-2019-5427", "CVE-2019-20388", "CVE-2020-10683", "CVE-2021-35539", "CVE-2019-3740", "CVE-2021-37701", "CVE-2021-35650", "CVE-2021-3517", "CVE-2017-9841", "CVE-2021-35569", "CVE-2021-35637", "CVE-2021-3449", "CVE-2021-35657", "CVE-2021-22931", "CVE-2021-3712", "CVE-2020-35728", "CVE-2018-20034", "CVE-2019-3738", "CVE-2021-2476", "CVE-2021-2483", "CVE-2021-2480", "CVE-2020-10672", "CVE-2021-35646", "CVE-2021-35575", "CVE-2019-7317", "CVE-2021-27365", "CVE-2018-15756", "CVE-2020-11994", "CVE-2021-26117", "CVE-2018-1271", "CVE-2021-35552", "CVE-2021-35516", "CVE-2021-35566", "CVE-2020-5413", "CVE-2021-22939", "CVE-2020-36182", "CVE-2021-35585", "CVE-2019-17566", "CVE-2021-22947", "CVE-2018-11039", "CVE-2021-35635", "CVE-2021-35550", "CVE-2021-2388", "CVE-2021-29425", "CVE-2020-13954", "CVE-2019-10086", "CVE-2021-35568", "CVE-2021-35638", "CVE-2021-37712", "CVE-2021-35597", "CVE-2021-22945", "CVE-2020-15824", "CVE-2021-21349", "CVE-2021-27364", "CVE-2020-27824", "CVE-2020-36181", "CVE-2018-20032", "CVE-2021-2137", "CVE-2021-22925", "CVE-2021-3520", "CVE-2021-36222", "CVE-2021-35601", "CVE-2021-3156", "CVE-2021-21348", "CVE-2021-33560", "CVE-2021-35665", "CVE-2018-8032", "CVE-2021-35583", "CVE-2020-28052", "CVE-2019-13990", "CVE-2021-21350", "CVE-2021-35542", "CVE-2021-35662", "CVE-2021-32804", "CVE-2019-17567", "CVE-2021-23336", "CVE-2021-2482", "CVE-2021-21342", "CVE-2020-17530", "CVE-2021-35517", "CVE-2019-3739", "CVE-2020-36186", "CVE-2020-1968", "CVE-2020-10543", "CVE-2021-35598", "CVE-2020-7069", "CVE-2021-35565", "CVE-2021-35564", "CVE-2021-21344", "CVE-2016-0762", "CVE-2021-35626", "CVE-2018-1258", "CVE-2021-32809", "CVE-2021-3450", "CVE-2021-2485", "CVE-2020-13947", "CVE-2021-23840", "CVE-2021-35661", "CVE-2021-2416", "CVE-2020-14061", "CVE-2019-10082", "CVE-2020-10673", "CVE-2019-0233", "CVE-2020-5258", "CVE-2021-26271", "CVE-2021-35554", "CVE-2021-35617", "CVE-2020-27216", "CVE-2019-12400", "CVE-2020-11998", "CVE-2021-35589", "CVE-2021-2479", "CVE-2019-16775", "CVE-2021-2477", "CVE-2020-26137", "CVE-2021-2341", "CVE-2021-28363", "CVE-2021-35558", "CVE-2019-0230", "CVE-2021-35563", "CVE-2021-37713", "CVE-2020-11979", "CVE-2021-23839", "CVE-2021-30641", "CVE-2021-35607", "CVE-2021-35659", "CVE-2018-1257", "CVE-2020-17521", "CVE-2018-20031", "CVE-2021-2461", "CVE-2018-8088", "CVE-2021-36373", "CVE-2021-35043", "CVE-2021-21409", "CVE-2021-33503", "CVE-2021-35627", "CVE-2021-35571", "CVE-2021-35573", "CVE-2020-1945", "CVE-2020-9548", "CVE-2021-35599", "CVE-2021-2471", "CVE-2021-35647", "CVE-2020-7071", "CVE-2021-32808", "CVE-2021-3426", "CVE-2021-35578", "CVE-2021-35606", "CVE-2020-36185", "CVE-2020-1971", "CVE-2021-35610", "CVE-2020-25649", "CVE-2021-3537", "CVE-2021-21346", "CVE-2021-31812", "CVE-2020-11988", "CVE-2021-22118", "CVE-2021-35545", "CVE-2020-11987", "CVE-2021-21345", "CVE-2021-35655", "CVE-2020-8622", "CVE-2020-35490", "CVE-2021-35622", "CVE-2021-28164", "CVE-2021-3711", "CVE-2020-36188", "CVE-2020-36180", "CVE-2021-35551", "CVE-2021-35623", "CVE-2018-1272", "CVE-2021-28957", "CVE-2021-35588", "CVE-2019-0228", "CVE-2021-35602", "CVE-2020-7595", "CVE-2020-9488", "CVE-2021-35567", "CVE-2021-35611", "CVE-2021-35621", "CVE-2020-11113", "CVE-2020-7226", "CVE-2021-35658", "CVE-2021-35592", "CVE-2021-22940", "CVE-2016-5018", "CVE-2021-30468", "CVE-2021-29921", "CVE-2020-8203", "CVE-2021-35570", "CVE-2021-2332", "CVE-2020-24616", "CVE-2020-5397", "CVE-2018-1270", "CVE-2021-35624", "CVE-2021-21351", "CVE-2020-35452", "CVE-2021-35619", "CVE-2021-35644", "CVE-2020-36187", "CVE-2021-22946", "CVE-2021-30640", "CVE-2021-20265", "CVE-2021-35613", "CVE-2021-28169", "CVE-2021-22207", "CVE-2020-24750", "CVE-2020-8277", "CVE-2021-35590", "CVE-2020-35491", "CVE-2021-22924", "CVE-2021-23841", "CVE-2021-21783", "CVE-2021-2475", "CVE-2021-35515", "CVE-2020-27218", "CVE-2021-28165", "CVE-2021-28657", "CVE-2021-33037", "CVE-2021-35574", "CVE-2021-35648", "CVE-2021-22926", "CVE-2021-35596", "CVE-2020-1967", "CVE-2021-35660", "CVE-2021-36374", "CVE-2021-35557", "CVE-2020-7065", "CVE-2021-35654", "CVE-2021-35584", "CVE-2021-35603", "CVE-2020-27193", "CVE-2021-35593", "CVE-2021-35608", "CVE-2017-5645", "CVE-2021-27290", "CVE-2021-35541", "CVE-2018-20843", "CVE-2021-21702", "CVE-2020-11111", "CVE-2021-37695", "CVE-2020-36183", "CVE-2021-23926", "CVE-2021-35572", "CVE-2021-35559", "CVE-2018-20033", "CVE-2020-29661", "CVE-2021-2432", "CVE-2021-22696", "CVE-2021-35653", "CVE-2021-2414", "CVE-2021-35582", "CVE-2019-12415", "CVE-2021-35591", "CVE-2021-34558", "CVE-2020-5398", "CVE-2020-25648", "CVE-2021-35560", "CVE-2021-2351", "CVE-2021-35546", "CVE-2020-6950", "CVE-2021-35631", "CVE-2020-28500", "CVE-2021-31811", "CVE-2018-10237", "CVE-2020-14060", "CVE-2021-23017", "CVE-2020-36189", "CVE-2021-22922", "CVE-2021-35556", "CVE-2021-22112", "CVE-2016-6794", "CVE-2021-35540", "CVE-2020-36179", "CVE-2021-35632", "CVE-2020-13956", "CVE-2020-14062", "CVE-2021-21347", "CVE-2021-35549", "CVE-2021-35581", "CVE-2021-25329", "CVE-2021-32803", "CVE-2021-35562", "CVE-2018-11040", "CVE-2021-21343", "CVE-2021-2369", "CVE-2021-35630", "CVE-2016-6797", "CVE-2020-9546", "CVE-2021-34428", "CVE-2020-10968", "CVE-2021-35639", "CVE-2020-10878", "CVE-2021-2474", "CVE-2021-26690", "CVE-2021-27906", "CVE-2020-8908", "CVE-2016-1000031", "CVE-2021-22883", "CVE-2021-35576", "CVE-2020-14195", "CVE-2019-0227", "CVE-2020-24977", "CVE-2021-35629", "CVE-2021-25215", "CVE-2021-21290", "CVE-2021-23337", "CVE-2020-10969", "CVE-2021-35652", "CVE-2021-29505", "CVE-2021-35640", "CVE-2020-9547", "CVE-2021-39135"], "modified": "2022-01-18T00:00:00", "id": "ORACLE:CPUOCT2021", "href": "https://www.oracle.com/security-alerts/cpuoct2021.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}
Server-side request forgery (SSRF) in Apache Batik
