Security Bulletin: An XML External Entity Injection (XXE) vulnerability may impact IBM Cúram Social Program Management (CVE-2020-4772)

2020-10-0817:22:11

www.ibm.com

0.001 Low

EPSS

Percentile

47.0%

JSON

Summary

An XML External Entity Injection (XXE) vulnerability may impact IBM Cúram Social Program Management. A remote attacker could exploit this vulnerability to expose sensitive information, denial of service, server side request forgery or consume memory resources.

Vulnerability Details

CVEID:CVE-2020-4772
**DESCRIPTION:**An XML External Entity Injection (XXE) vulnerability may impact IBM Curam Social Program Management. A remote attacker could exploit this vulnerability to expose sensitive information, denial of service, server side request forgery or consume memory resources.
CVSS Base score: 7.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/189150 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L)

Affected Products and Versions

Affected Product(s)	Version(s)
Curam SPM	7.0.10
Curam SPM	7.0.9

Remediation/Fixes

Product	VRMF	Remediation/First Fix
Cúram SPM

7.0.10

| Visit IBM Fix Central and upgrade to 7.0.10 iFix2 or a subsequent 7.0.10 release.
Cúram SPM|

7.0.9

| Visit IBM Fix Central and upgrade to 7.0.9 iFix5 or a subsequent 7.0.9 release.

Workarounds and Mitigations

For information about all other versions, contact IBM Cúram Social Program Management customer support.

CPENameOperatorVersion
cúram social program managementeqany

CPE	Name	Operator	Version
	cúram social program management	eq	any

0.001 Low

EPSS

Percentile

47.0%

JSON

Related for 29E014501D554DDDCEEF2C73AF63C4E8DBC11BBCAC4523D4024D3A1CD066A8F8