Lucene search

K
ibmIBM0CDA7C10442B705C677D939E4525A0FD2BF6C2E3CCD7C1AC57DA125C095DD3F3
HistoryJun 23, 2022 - 4:36 p.m.

Security Bulletin: Java Vulnerability Affects IBM Sterling Connect:Direct Browser User Interface (CVE-2019-10241, CVE-2019-10246 & CVE-2019-10247)

2022-06-2316:36:10
www.ibm.com
15
ibm
sterling
connect:direct
browser
interface
java
vulnerabilities
cve-2019-10241
cve-2019-10246
cve-2019-10247
eclipse jetty
cross-site scripting
remote attacker
cvss
vulnerability
sensitive information
fix central

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.01

Percentile

84.0%

Summary

There is a vulnerability in IBM® Runtime Environment Java™ Technology Edition, Version 8 that is used by IBM Sterling Connect:Direct Browser User Interface. These issues were disclosed as part of the IBM Java SDK updates in May 2018 and Jetty Server update in May 2019.

Vulnerability Details

CVE-ID: CVE-2019-10241
Description: Eclipse Jetty is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the DefaultServlet and ResourceHandler. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base Score: 6.1
CVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/160676&gt; for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVE-ID: CVE-2019-10246

Description: Eclipse Jetty could allow a remote attacker to obtain sensitive information, caused by a flaw when configured for showing a Listing of directory contents. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to obtain sensitive information.

CVSS Base Score: 5.3

CVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/160611&gt; for more information

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVE-ID: CVE-2019-10247

Description: Eclipse Jetty could allow a remote attacker to obtain sensitive information, caused by a flaw in the DefaultHandler. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to obtain sensitive information.

CVSS Base Score: 5.3

CVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/160610&gt; for more information

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

Connect:Direct Browser User Interface 1.5.0.2 through 1.5.0.2 iFix24

Remediation/Fixes

Sterling Connect:Direct Browser User Interface

|

1.5.0.2

|

iFix25

|

Fix Central - 1.5.0.2

—|—|—|—

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmibm_sterling_connect\Matchdirect_browser_user_interface1.5.0.2

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.01

Percentile

84.0%