Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM66886B86D22AD162D05F9B987C32085ED4A1AA2754E87D356E718DE087B7313A
HistoryJan 04, 2023 - 3:55 p.m.

Security Bulletin: Multiple Vulnerabilities discovered in libraries used by TCRtoolkit in ITNM

2023-01-0415:55:01
www.ibm.com
22

0.064 Low

EPSS

Percentile

93.7%

JSON

Summary

Multiple vulnerabilities (CVE-2009-4521; CVE-2015-0250; CVE-2017-5662; CVE-2018-8013; CVE-2019-17566; CVE-2020-11987; CVE-2009-4269; CVE-2009-4521; CVE-2009-4521; CVE-2009-4521; CVE-2009-4521; CVE-2009-4521; CVE-2021-41033) found in TCRtoolkit component present in IBM Tivoli Network Manager (ITNM) IP Edition. The fix contains the removal of affected component from ITNM.

Vulnerability Details

CVEID:CVE-2009-4521
**DESCRIPTION:**Eclipse BIRT is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the report viewer. A remote attacker could exploit this vulnerability using the __report parameter to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials. Note: KonaKart uses BIRT and is also vulnerable.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/53773 for the current score.
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVEID:CVE-2015-0250
**DESCRIPTION:**Apache Batik could allow a remote attacker to obtain sensitive information. By persuading a victim to open a specially-crafted SVG file, an attacker could exploit this vulnerability to reveal files and obtain sensitive information.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/101614 for the current score.
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVEID:CVE-2017-5662
**DESCRIPTION:**Apache Batik could allow a remote authenticated attacker to obtain sensitive information, caused by an XML external entity (XXE) error when processing XML data. By using a specially-crafted SVG file, a remote attacker could exploit this vulnerability to obtain sensitive information or possibly cause a denial of service.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/125198 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L)

CVEID:CVE-2018-8013
**DESCRIPTION:**Apache Batik could allow a remote attacker to obtain sensitive information, caused by an error when deserializing subclass of AbstractDocument. An attacker could exploit this vulnerability to reveal files and obtain sensitive information.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/143678 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID:CVE-2019-17566
**DESCRIPTION:**Apache Batik is vulnerable to server-side request forgery, caused by improper input validation by the “xlink:href” attributes. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/183402 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

CVEID:CVE-2020-11987
**DESCRIPTION:**Apache XML Graphics Batik is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to conduct SSRF attack to cause the underlying server to make arbitrary GET requests.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/197372 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2009-4269
**DESCRIPTION:**Apache Derby could allow a remote attacker to obtain sensitive information, caused by the reduction of the size of the set of inputs to SHA-1 by the password hash generation algorithm managed by the BUILTIN authentication functionality. By generating hash collisions, a remote attacker could exploit this vulnerability to crack passwords and obtain sensitive information.
CVSS Base score: 2.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/61202 for the current score.
CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)

CVEID:CVE-2021-41033
**DESCRIPTION:**Eclipse Equinox is vulnerable to a man-in-the-middle attack, caused by the use unencrypted HTTP communication in p2 repos. An attacker could exploit this vulnerability to launch a man-in-the-middle attack and gain access to the communication channel between endpoints to alter the local installation, and execute arbitrary code on the system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/209186 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
ITNM 4.2 GA through to 4.2.0.15

Remediation/Fixes

The issue has been Fixed in ITNM 4.2 Fix Pack 16 (i.e. 4.2.0.16). Upgrade ITNM 4.2 to Fix Pack 16 from Fix Central.

4.2.0-TIV-ITNMIP-Linux-FP0016

4.2.0-TIV-ITNMIP-zLinux-FP0016

4.2.0-TIV-ITNMIP-AIX-FP0016

Workarounds and Mitigations

None

Related

ibm 37
nessus 27
openvas 28
debian 7
osv 14
mageia 3
prion 9
cve 9
cvelist 9
github 6
fedora 14
veracode 6
cnvd 1
ubuntu 4
ubuntucve 7
debiancve 6
redhatcve 3
redhat 2
securityvulns 2
archlinux 1
gitlab 1
suse 2
gentoo 1
ibm
ibm
Security Bulletin: Multiple vulnerabilities in Apache Batik affect Tivoli Netcool/OMNIbus WebGUI (CVE-2017-5662, CVE-2018-8013, CVE-2015-0250, CVE-2019-17566)
2020-12-15 13:01:33
Security Bulletin:IBM TRIRIGA Application Platform discloses CVE-20215-0250
2022-08-30 16:36:11
Security Bulletin: Vulnerabilities found in batik-all-1.7.jar, batik-dom-1.7.jar which is shipped with IBM® Intelligent Operations Center(CVE-2018-8013, CVE-2017-5662, CVE-2015-0250)
2023-09-05 08:40:21
nessus
nessus
RHEL 6 : batik (Unpatched Vulnerability)
2024-05-11 00:00:00
Debian DSA-4215-1 : batik - security update
2018-06-05 00:00:00
RHEL 7 : batik (Unpatched Vulnerability)
2024-05-11 00:00:00
openvas
openvas
Debian: Security Advisory (DSA-4215-1)
2018-06-01 00:00:00
Mageia: Security Advisory (MGASA-2021-0168)
2022-01-28 00:00:00
Fedora: Security Advisory for batik (FEDORA-2021-65ff5f10e2)
2021-03-20 00:00:00
debian
debian
[SECURITY] [DSA 4215-1] batik security update
2018-06-02 08:13:08
[SECURITY] [DSA 4215-1] batik security update
2018-06-02 08:13:30
[SECURITY] [DLA 926-1] batik security update
2017-04-29 15:41:59
osv
osv
batik - security update
2018-06-02 00:00:00
CVE-2017-5662
2017-04-18 14:59:00
CVE-2020-11987
2021-02-24 18:15:11
mageia
mageia
Updated batik packages fix security vulnerabilities
2021-04-02 23:25:05
Updated batik packages fix a security vulnerability
2021-03-17 09:16:07
Updated batik packages fix security vulnerabilities
2015-04-10 01:44:14
prion
prion
Cross site scripting
2009-12-31 19:30:00
Design/Logic Flaw
2010-08-16 20:00:00
Code injection
2021-09-13 21:15:00
cve
cve
CVE-2009-4521
2009-12-31 19:30:00
CVE-2017-5662
2017-04-18 14:59:00
CVE-2009-4269
2010-08-16 20:00:00
cvelist
cvelist
CVE-2009-4521
2009-12-31 19:00:00
CVE-2017-5662
2017-04-18 14:00:00
CVE-2009-4269
2010-08-16 19:00:00
github
github
Improper Restriction of XML External Entity Reference in Apache Batik
2022-05-13 01:14:24
Server-side request forgery (SSRF) in Apache Batik
2022-01-06 20:35:54
Use of Password Hash With Insufficient Computational Effort in Apache Derby
2022-05-02 03:53:13
fedora
fedora
[SECURITY] Fedora 25 Update: batik-1.8-9.fc25
2017-05-10 04:02:57
[SECURITY] Fedora 34 Update: batik-1.14-1.fc34
2021-03-19 20:30:31
[SECURITY] Fedora 26 Update: batik-1.9-3.fc26
2017-05-09 21:29:07
veracode
veracode
Information Disclosure Through An External XML Entity (XXE) Vulnerability
2017-04-19 01:00:17
XML External Entity (XXE)
2021-02-25 04:34:00
Information Disclosure
2018-05-24 02:45:41
cnvd
cnvd
Eclipse Equinox has an unspecified vulnerability
2021-09-15 00:00:00
ubuntu
ubuntu
Apache Batik vulnerability
2017-05-09 00:00:00
Batik vulnerability
2018-05-29 00:00:00
Batik vulnerability
2015-03-25 00:00:00
ubuntucve
ubuntucve
CVE-2020-11987
2021-02-24 00:00:00
CVE-2017-5662
2017-04-18 00:00:00
CVE-2009-4269
2010-08-16 00:00:00
debiancve
debiancve
CVE-2009-4269
2010-08-16 20:00:00
CVE-2017-5662
2017-04-18 14:59:00
CVE-2020-11987
2021-02-24 18:15:00
redhatcve
redhatcve
CVE-2020-11987
2021-03-01 19:03:16
CVE-2018-8013
2018-05-23 14:20:02
CVE-2019-17566
2020-06-18 15:55:19
redhat
redhat
(RHSA-2016:0041) Moderate: Red Hat JBoss BRMS 6.1.5 update
2016-01-14 18:31:11
(RHSA-2016:0042) Moderate: Red Hat JBoss BPM Suite 6.1.5 update
2016-01-14 18:31:13
securityvulns
securityvulns
[USN-2548-1] Batik vulnerability
2015-05-11 00:00:00
Apache libbatik XXE
2015-05-11 00:00:00
archlinux
archlinux
java-batik: xml external entity injection
2015-04-04 00:00:00
gitlab
gitlab
Improper Restriction of XML External Entity Reference
2015-03-24 00:00:00
suse
suse
Security update for xmlgraphics-batik (moderate)
2020-06-23 00:00:00
Security update for xmlgraphics-batik (moderate)
2020-07-23 00:00:00
gentoo
gentoo
Apache Batik: Multiple Vulnerabilities
2024-01-07 00:00:00

0.064 Low

EPSS

Percentile

93.7%

JSON
Related for 66886B86D22AD162D05F9B987C32085ED4A1AA2754E87D356E718DE087B7313A
ibm37nessus27openvas28debian7osv14mageia3prion9cve9cvelist9github6fedora14veracode6cnvd1ubuntu4ubuntucve7debiancve6redhatcve3redhat2securityvulns2archlinux1gitlab1suse2gentoo1