CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
AI Score
Confidence
High
EPSS
Percentile
90.2%
IBM Business Process Manager and IBM Business Automation Workflow are affected by multiple security vulnerabilities found in Swagger UI.
**CVEID:**CVE-2012-6708 DESCRIPTION: jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the ‘<’ character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the ‘<’ character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/138055 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
**CVEID:**CVE-2015-9251 DESCRIPTION: jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/138029 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
**CVEID:**CVE-2019-11358 DESCRIPTION: jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/159633 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
Affected Product(s) | Version(s) |
---|---|
IBM Business Automation Workflow | V19.0 |
V18.0 | |
IBM Business Process Manager | V8.6 |
V8.5 |
The recommended solution is to apply the Interim Fix (iFix) or Cumulative Fix (CF) containing APAR JR61747 as soon as practical:
Note that JR61747 is superseded by JR62222 addressing an issue with profile upgrade in case the ifix has been applied and is reapplied during upgrade to a newer version, which does not yet have the fix.
For IBM Business Automation Workflow V18.0 and V19.0
· Upgrade to minimal cumulative fix levels as required by iFix and then apply iFix JR61747
--OR–
· Apply cumulative fix Business Automation Workflow V20.0.0.1
For IBM Business Process Manager V8.6
· Upgrade to minimal cumulative fix levels as required by iFix and then apply iFix JR61747
--OR–
· Upgrade to Business Automation Workflow V20.0.0.1
For IBM BPM V8.5
· Upgrade to IBM BPM V8.5.7, apply Cumulative Fix 2017.06 and then apply iFix JR61747
--OR–
· Upgrade to Business Automation Workflow V20.0.0.1
None
Vendor | Product | Version | CPE |
---|---|---|---|
ibm | business_process_manager | 8.5.7. | cpe:2.3:a:ibm:business_process_manager:8.5.7.:*:*:*:standard:*:*:* |
ibm | business_process_manager | 201706 | cpe:2.3:a:ibm:business_process_manager:201706:*:*:*:standard:*:*:* |
ibm | business_process_manager | 201703 | cpe:2.3:a:ibm:business_process_manager:201703:*:*:*:standard:*:*:* |
ibm | business_process_manager | 201612 | cpe:2.3:a:ibm:business_process_manager:201612:*:*:*:standard:*:*:* |
ibm | business_process_manager | 201609 | cpe:2.3:a:ibm:business_process_manager:201609:*:*:*:standard:*:*:* |
ibm | business_process_manager | 201606 | cpe:2.3:a:ibm:business_process_manager:201606:*:*:*:standard:*:*:* |
ibm | business_process_manager | 8.5.7 | cpe:2.3:a:ibm:business_process_manager:8.5.7:*:*:*:standard:*:*:* |
ibm | business_process_manager | 8.5.6.2 | cpe:2.3:a:ibm:business_process_manager:8.5.6.2:*:*:*:standard:*:*:* |
ibm | business_process_manager | 8.5.6.1 | cpe:2.3:a:ibm:business_process_manager:8.5.6.1:*:*:*:standard:*:*:* |
ibm | business_process_manager | 8.5.6 | cpe:2.3:a:ibm:business_process_manager:8.5.6:*:*:*:standard:*:*:* |
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
AI Score
Confidence
High
EPSS
Percentile
90.2%