Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM2B237E264C52D06227024EBFAFBA2C1ED8525F45DAFB66BEB1155234DB21F47D
HistoryJun 17, 2018 - 3:40 p.m.

Security Bulletin: Security vulnerabilities have been identified in the Apache CXF component of IBM Tivoli Network Manager IP Edition (CVE-2016-6812, CVE-2016-8739)

2018-06-1715:40:33
www.ibm.com
2

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

7.8 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:C/I:N/A:N

JSON

Summary

Security vulnerabilities have been addressed in the Apache CXF component of IBM Tivoli Network Manager IP Edition.

Vulnerability Details

CVEID: CVE-2016-6812**
DESCRIPTION:** Apache CXF is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the FormattedServiceListWriter() function. A remote attacker could exploit this vulnerability using the 'matrix ’ parameter in a specially-crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base Score: 6.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/120409 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID: CVE-2016-8739**
DESCRIPTION:** Apache CXF could allow a remote attacker to obtain sensitive information, caused by XML External Entity (XXE) vulnerability in JAX-RS implementation. By using a specially-crafted XML data, an attacker could exploit this vulnerability to read arbitrary files on the system.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/120408 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

IBM Tivoli Network Manager 4.1.1 and 4.2

Remediation/Fixes

Product

| VRMF|APAR|Remediation/First Fix
—|—|—|—
IBM Tivoli Network Manager IP Edition| 4.1.1.2 | IV94614| UPGRADE APACHE CXF LIBRARIES 3.0.12
<http://www-01.ibm.com/support/docview.wss?uid=swg24041066&gt;
IBM Tivoli Network Manager IP Edition| 4.2.0.3| IV94614| UPGRADE APACHE CXF LIBRARIES 3.1.10
http://www-01.ibm.com/support/docview.wss?uid=swg24043575

Workarounds and Mitigations

None

Related

openvas 1
nessus 1
fedora 1
ibm 5
cve 2
github 2
osv 4
veracode 2
redhatcve 2
prion 2
redhat 1
openvas
openvas
Fedora Update for cxf FEDORA-2016-2361e1e07a
2017-01-01 00:00:00
nessus
nessus
Fedora 25 : 1:cxf (2016-2361e1e07a)
2017-01-03 00:00:00
fedora
fedora
[SECURITY] Fedora 25 Update: cxf-3.1.6-3.fc25
2016-12-31 06:51:31
ibm
ibm
Security Bulletin: Mulitiple security vulnerabilities in Apache CXF affects IBM InfoSphere Master Data Management (CVE-2016-6812 CVE-2016-8739 CVE-2017-5653 CVE-2017-5656 CVE-2017-3156)
2018-06-16 14:18:36
Security Bulletin: Multiple vulnerabilities affect IBM Rational Design Manager
2018-10-23 16:30:01
Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to security vulnerabilities
2020-05-27 08:29:07
cve
cve
CVE-2016-8739
2017-08-10 18:29:00
CVE-2016-6812
2017-08-10 16:29:00
github
github
Improper Restriction of XML External Entity Reference in Apache CXF JAX-RS
2022-05-13 01:09:20
Improper Neutralization of Input During Web Page Generation in Apache CXF
2022-05-13 01:09:20
osv
osv
Improper Restriction of XML External Entity Reference in Apache CXF JAX-RS
2022-05-13 01:09:20
CVE-2016-8739
2017-08-10 18:29:00
Improper Neutralization of Input During Web Page Generation in Apache CXF
2022-05-13 01:09:20
veracode
veracode
XML External Entity (XXE)
2016-12-23 04:04:51
Cross-site Scripting (XSS)
2016-12-28 03:45:07
redhatcve
redhatcve
CVE-2016-8739
2016-12-21 14:47:35
CVE-2016-6812
2016-12-21 14:47:28
prion
prion
Design/Logic Flaw
2017-08-10 18:29:00
Design/Logic Flaw
2017-08-10 16:29:00
redhat
redhat
(RHSA-2017:0868) Important: Red Hat JBoss Fuse/A-MQ 6.3 R2 security and bug fix update
2017-04-03 21:01:34

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

7.8 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:C/I:N/A:N

JSON
Related for 2B237E264C52D06227024EBFAFBA2C1ED8525F45DAFB66BEB1155234DB21F47D
openvas1nessus1fedora1ibm5cve2github2osv4veracode2redhatcve2prion2redhat1