Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM56556DC3F311515B25FF2D5351265C6E4E1386C59F4D8C0B1CE6331B086BCB46
HistoryApr 20, 2022 - 5:04 p.m.

Security Bulletin: Vulnerabilities in WebSphere Liberty Profile affect IBM InfoSphere Global Name Management (CVE-2020-5258, CVE-2020-4590, CVE-2020-4421)

2022-04-2017:04:55
www.ibm.com
39

7.7 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N

5.5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:P/A:N

0.002 Low

EPSS

Percentile

61.4%

JSON

Summary

There are multiple vulnerabilities in the WebSphere Liberty Profile used in IBM InfoSphere Global Name Management (GNM).

Vulnerability Details

Refer to the security bulletin(s) listed in the Remediation/Fixes section

Affected Products and Versions

Affected Product(s) Version(s)
IBM InfoSphere Global Name Management 6.0
IBM InfoSphere Global Name Management 7.0

Note that CVE-2020-4590 and CVE-2020-4421 do not affect GNM as normally installed. They would only apply if the customer chose to manually modify their WebSphere Liberty configuration to enable and use the oauth-2.0 and/or openid connect feature, which is not a common modification. Only CVE-2020-5258 affects GNM as normally installed.

Remediation/Fixes

Per the original bulletins for CVE-2020-5258, CVE-2020-4590, and CVE-2020-4421, all three vulnerabilities can be resolved by upgrading WebSphere Liberty Profile.

  • For basic GNM (the regular version used by most customers) versions 6 and 7, upgrade to WebSphere Liberty Profile version 21.0.0.10 or later, available at IBM Fix Central.
  • For GNM version 6 Enterprise Name Search (a separate installation which does not apply to most customers), update using the files and instructions in GNM 6 interim fix 11, available at IBM Fix Central.

Workarounds and Mitigations

None

Related

ibm 104
prion 3
cve 3
ubuntucve 1
veracode 1
osv 3
redhatcve 1
debiancve 1
github 1
githubexploit 1
nessus 6
redhat 1
openvas 1
mageia 1
debian 1
oracle 5
ibm
ibm
Security Bulletin: Vulnerabilities in WebSphere Liberty Profile affect IBM InfoSphere Identity Insight (CVE-2020-4421, CVE-2020-4590, CVE-2020-5258, CVE-2021-26296)
2021-09-23 14:40:35
Security Bulletin: Potential spoofing attack in WebSphere Application Server (CVE-2020-4421)
2020-06-08 15:42:28
Security Bulletin: WebSphere security vulnerability in IBM Content Foundation on Cloud
2020-11-10 22:38:09
prion
prion
Code injection
2020-05-06 14:15:00
Design/Logic Flaw
2020-09-21 15:15:00
Code injection
2020-03-10 18:15:00
cve
cve
CVE-2020-4421
2020-05-06 14:15:00
CVE-2020-4590
2020-09-21 15:15:00
CVE-2020-5258
2020-03-10 18:15:00
ubuntucve
ubuntucve
CVE-2020-5258
2020-03-10 00:00:00
veracode
veracode
Prototype Pollution
2020-03-11 04:28:44
osv
osv
CVE-2020-5258
2020-03-10 18:15:12
Prototype pollution in dojo
2020-03-10 18:03:14
dojo - security update
2020-03-11 00:00:00
redhatcve
redhatcve
CVE-2020-5258
2020-03-11 09:40:58
debiancve
debiancve
CVE-2020-5258
2020-03-10 18:15:00
github
github
Prototype pollution in dojo
2020-03-10 18:03:14
githubexploit
githubexploit
Exploit for Code Injection in Linuxfoundation Dojo
2020-12-01 09:45:48
nessus
nessus
Oracle Enterprise Manager Ops Center UI and Other Patches (July 2021 CPU)
2023-01-19 00:00:00
Debian DLA-2139-1 : dojo security update
2020-03-12 00:00:00
Oracle Primavera Unifier (Jul 2021 CPU)
2021-07-22 00:00:00
redhat
redhat
(RHSA-2020:2054) Important: Open Liberty 20.0.0.5 Runtime security update
2020-05-11 13:29:28
openvas
openvas
Debian LTS: Security Advisory for dojo (DLA-2139-1)
2020-03-18 00:00:00
mageia
mageia
Updated dojo packages fix security vulnerability
2020-05-27 12:52:46
debian
debian
[SECURITY] [DLA 2139-1] dojo security update
2020-03-11 19:14:41
oracle
oracle
Oracle Critical Patch Update Advisory - July 2021
2021-07-20 00:00:00
Oracle Critical Patch Update Advisory - July 2022
2022-07-19 00:00:00
Oracle Critical Patch Update Advisory - October 2021
2021-10-19 00:00:00

7.7 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N

5.5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:P/A:N

0.002 Low

EPSS

Percentile

61.4%

JSON
Related for 56556DC3F311515B25FF2D5351265C6E4E1386C59F4D8C0B1CE6331B086BCB46
ibm104prion3cve3ubuntucve1veracode1osv3redhatcve1debiancve1github1githubexploit1nessus6redhat1openvas1mageia1debian1oracle5