Lucene search

K
ibmIBM1A030187296C45282C7919058ADD8AA1992811C3B3D7481CF22AA0E13A7F5096
HistoryJul 24, 2020 - 10:19 p.m.

Security Bulletin: Multiple Eclipse Jetty Vulnerabilities Affect IBM Sterling Secure Proxy Summary

2020-07-2422:19:08
www.ibm.com
10

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

Summary

Three Eclipse Jetty vulnerabilities were addressed by IBM Sterling Secure Proxy.

Vulnerability Details

CVE-ID: CVE-2019-10241
Description: Eclipse Jetty is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the DefaultServlet and ResourceHandler. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base Score: 6.1
CVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/160676&gt; for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVE-ID: CVE-2019-10246
Description: Eclipse Jetty could allow a remote attacker to obtain sensitive information, caused by a flaw when configured for showing a Listing of directory contents. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base Score: 5.3
CVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/160611&gt; for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVE-ID: CVE-2019-10247
Description: Eclipse Jetty could allow a remote attacker to obtain sensitive information, caused by a flaw in the DefaultHandler. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base Score: 5.3
CVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/160610&gt; for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

IBM Secure Proxy 6.0.0.0 through 6.0.0.1

IBM Sterling Secure Proxy 3.4.3 through 3.4.3.2 iFix 5

Remediation/Fixes

Product

|

VRMF

|

APAR

|

How to acquire fix

—|—|—|—

IBM Secure Proxy

|

6.0.0.1

|

iFix 1

|

Fix Central

IBM Sterling Secure Proxy

|

3.4.3.2

|

iFix 6

|

Fix Central

Workarounds and Mitigations

None.

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

Related for 1A030187296C45282C7919058ADD8AA1992811C3B3D7481CF22AA0E13A7F5096