Lucene search

K
ibmIBM15DA8B02C0EE18C494CE300BE00470079DE5884E7FABD33120881C0071985E51
HistoryFeb 28, 2020 - 5:01 p.m.

Security Bulletin: A vulnerability in Python affects IBM Operations Analytics Predictive Insights (CVE-2019-16935)

2020-02-2817:01:53
www.ibm.com
29

EPSS

0.002

Percentile

59.2%

Summary

Python is used by IBM Operations Analytics Predictive Insights. IBM Operations Analytics Predictive Insights has addressed the applicable CVE. Note that the usage of Python within IBM Operations Analytics Predictive Insights is limited to the REST Mediation utility. If you do not use that utility then you are not affected by this bulletin.

Vulnerability Details

CVEID:CVE-2019-16935
**DESCRIPTION:**The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/168612 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Operations Analytics Predictive Insights 1.3.6

Remediation/Fixes

Apply 1.3.6 Interim Fix 2 or later
https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Tivoli/IBM+SmartCloud+Analytics±+Predictive+Insights&release=1.3.6

Workarounds and Mitigations

None