Security Bulletin: IBM Master Data Management vulnerable to remote code execution from vulnerability in IBM WebSphere Application Server (CVE-2024-35154)

2024-08-0916:11:53

www.ibm.com

ibm

master data management

websphere application server

vulnerability

remote code execution

cve-2024-35154

CVSS3

7.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

AI Score

7.7

Confidence

High

JSON

Summary

IBM Master Data Management version 11.6 and 12.0 is impacted by vulnerability in WebSphere Application Server. IBM WebSphere Application Server 8.5 and 9.0 could allow a remote authenticated attacker, who has authorized access to the administrative console, to execute arbitrary code. Using specially crafted input, the attacker could exploit this vulnerability to execute arbitrary code on the system.

Vulnerability Details

CVEID:CVE-2024-35154
**DESCRIPTION:**IBM WebSphere Application Server 8.5 and 9.0 could allow a remote authenticated attacker, who has authorized access to the administrative console, to execute arbitrary code. Using specially crafted input, the attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-Force ID: 292641.
CVSS Base score: 7.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/292641 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s)	Version(s)
InfoSphere Master Data Management	12.0
InfoSphere Master Data Management	11.6

Remediation/Fixes

Principal Product and Version(s)	Affected Supporting Product and Version	Affected Supporting Product Security Bulletin
InfoSphere Master Data Management v11.6, v12.0	IBM WebSphere Application Server version 8.5 and 9.0.	Security Bulletin: IBM WebSphere Application Server is vulnerable to remote code execution (CVE-2024-35154)

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibminfosphere_master_data_management_reference_data_managementMatch11.6

ibminfosphere_master_data_management_reference_data_managementMatch12.0

VendorProductVersionCPE
ibminfosphere_master_data_management_reference_data_management11.6cpe:2.3:a:ibm:infosphere_master_data_management_reference_data_management:11.6:*:*:*:*:*:*:*
ibminfosphere_master_data_management_reference_data_management12.0cpe:2.3:a:ibm:infosphere_master_data_management_reference_data_management:12.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	infosphere_master_data_management_reference_data_management	11.6	cpe:2.3:a:ibm:infosphere_master_data_management_reference_data_management:11.6:::::::*
ibm	infosphere_master_data_management_reference_data_management	12.0	cpe:2.3:a:ibm:infosphere_master_data_management_reference_data_management:12.0:::::::*