Lucene search

IBM5E26535E5B5B3D3E2FD737E150CABCBFC07EF29268D1B7A5A4D9DDA7BF5A8344

HistoryJun 10, 2024 - 2:18 p.m.

Security Bulletin: IBM Master Data Management affected by IBM WebSphere Application Server vulnerabilities to an XML External Entity (XXE) injection vulnerability (CVE-2024-22354)

2024-06-1014:18:12

www.ibm.com

ibm

master data management

websphere

application server

xxe

injection

vulnerability

cve-2024-22354

7 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L

7.2 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

Summary

IBM Master Data Management version 11.6 and 12.0 is impacted by vulnerability in WebSphere Application Server. IBM WebSphere Application Server is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information, consume memory resources, or to conduct a server-side request forgery attack.

Vulnerability Details

CVEID:CVE-2024-22354
**DESCRIPTION:**IBM WebSphere Application Server 8.5, 9.0 and IBM WebSphere Application Server Liberty 17.0.0.3 through 24.0.0.5 are vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information, consume memory resources, or to conduct a server-side request forgery attack. IBM X-Force ID: 280401.
CVSS Base score: 7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/280401 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L)

Affected Products and Versions

Affected Product(s)	Version(s)
InfoSphere Master Data Management	12.0
InfoSphere Master Data Management	11.6

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now by following WebSphere Application Server security bulletin

Principal Product and Version(s)	Affected Supporting Product and Version	Affected Supporting Product Security Bulletin
InfoSphere Master Data Management v11.6, v12.0	IBM WebSphere Application Server version 8.5 and 9.0.	Security Bulletin: IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to an XML External Entity (XXE) injection vulnerability (CVE-2024-22354)

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibminfosphere_master_data_management_reference_data_managementMatch11.6

ibminfosphere_master_data_management_reference_data_managementMatch12.0

CPENameOperatorVersion
ibm master data managementeq11.6
ibm master data managementeq12.0

CPE	Name	Operator	Version
	ibm master data management	eq	11.6
	ibm master data management	eq	12.0

7 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L

7.2 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

Related for 5E26535E5B5B3D3E2FD737E150CABCBFC07EF29268D1B7A5A4D9DDA7BF5A8344