8.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L
6.4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:N/A:P
0.002 Low
EPSS
Percentile
51.2%
WebSphere Application Server Java Batch, that was included in Watson Knowledge Catalog InstaScan, is vulnerable to an XML External Entity Injection (XXE) vulnerability. This has been addressed.
CVEID:CVE-2021-20492
**DESCRIPTION:**IBM WebSphere Application Server 8.0, 8.5, 9.0, and Liberty Java Batch is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 197793.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/197793 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:L)
Affected Product(s)|**Version(s)
**
—|—
Watson Knowledge Catalog InstaScan| 1.1.0 - 1.1.6
IBM strongly recommends addressing the vulnerability now.
Product(s) | **Version(s) number and/or range ** | Remediation/Fix/Instructions |
---|---|---|
Watson Knowledge Catalog InstaScan | 1.1.0 - 1.1.6 | Upgrade to version 1.1.7 |
Note: WebSphere Application Server Java Batch is bundled with Watson Knowledge Catalog InstaScan to provide an application runtime functionality.
In order to upgrade to the 1.1.7 version, please run the following command on the infrastructure node of the OpenShift cluster:
./cpd-cli upgrade --repo <your-repo.yaml> -a wkc-instascan -n <your-name-space> --verbose --accept-all-licenses
Replace <your-repo.yaml> with the name of the repository yaml file and <your-name-space> with the actual OpenShift project name (Kubernetes namespace) where the product is installed.
None.
CPE | Name | Operator | Version |
---|---|---|---|
knowledge catalog | eq | 1.1.5 |
8.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L
6.4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:N/A:P
0.002 Low
EPSS
Percentile
51.2%