7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.8 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:C/I:N/A:N
IBM Initiate Master Data Service is vulnerable to multiple Apache CXF issues and could allow remote attackers to steal a victim’s cookie-based authentication credentials and read arbitrary files on the system.
CVEID: CVE-2016-6812**
DESCRIPTION:** Apache CXF is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the FormattedServiceListWriter() function. A remote attacker could exploit this vulnerability using the 'matrix ’ parameter in a specially-crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base Score: 6.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/120409 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
CVEID: CVE-2016-8739**
DESCRIPTION:** Apache CXF could allow a remote attacker to obtain sensitive information, caused by XML External Entity (XXE) vulnerability in JAX-RS implementation. By using a specially-crafted XML data, an attacker could exploit this vulnerability to read arbitrary files on the system.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/120408 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVE-ID:CVE-2017-5653
DESCRIPTION: Apache CXF could allow a remote attacker to conduct spoofing attacks, caused by the improper validation of service response in JAX-RS XML Security streaming clients. An attacker could exploit this vulnerability to spoof the servers.
CVSS Base Score: 5.3
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/125087 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVE-ID:CVE-2017-5656
DESCRIPTION: Apache CXF could allow a remote attacker to bypass security restrictions, caused by a flaw in the STSClient. By sending a specially-crafted token, an attacker could exploit this vulnerability to bypass security restrictions.
CVSS Base Score: 5.3
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/125216 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVE-ID: CVE-2017-3156 DESCRIPTION: Apache CXF could provide weaker than expected security, caused by the failure to use the OAuth2 Hawk and JOSE MAC Validation code. A remote attacker could exploit this vulnerability using timing attacks to obtain sensitive information.
CVSS Base Score: 5.9
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/130249 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
This vulnerability is known to affect the following offerings:
Affected IBM Initiate Master Data Service
|
Affected Versions
—|—
IBM Initiate Master Data Service| 10.1
IBM InfoSphere Master Data Management| 11.0
IBM InfoSphere Master Data Management| 11.3
IBM InfoSphere Master Data Management| 11.4
IBM InfoSphere Master Data Management| 11.5
IBM InfoSphere Master Data Management| 11.6
Product****
| VRMF|Remediation/First Fix
—|—|—
IBM Initiate Master Data Servic|
10.1
| 10.1.031518_IM_Initiate_MasterDataService_ALL_Refresh Pack
IBM InfoSphere Master Data Management Standard/Advanced Edition |
11.0
| 11.0.0.7-MDM-SAE-FP07IF000
IBM InfoSphere Master Data Management Standard/Advanced Edition |
11.3
| 11.3.0.7-MDM-SE-AE-FP07IF000
IBM InfoSphere Master Data Management Standard/Advanced Edition |
11.4
| 11.4.0.8-MDM-SAE-FP08IF000
IBM InfoSphere Master Data Management Standard/Advanced Edition |
11.5
| 11.5.0.6-MDM-SE-AE-FP06IF000_ _
IBM InfoSphere Master Data Management Standard/Advanced Edition |
11.6
None
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.8 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:C/I:N/A:N