Multiple vulnerabilities (CVE-2009-4521; CVE-2015-0250; CVE-2017-5662; CVE-2018-8013; CVE-2019-17566; CVE-2020-11987; CVE-2009-4269; CVE-2009-4521; CVE-2009-4521; CVE-2009-4521; CVE-2009-4521; CVE-2009-4521; CVE-2021-41033) found in TCRtoolkit component present in IBM Tivoli Network Manager (ITNM) IP Edition. The fix contains the removal of affected component from ITNM.
CVEID:CVE-2009-4521
**DESCRIPTION:**Eclipse BIRT is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the report viewer. A remote attacker could exploit this vulnerability using the __report parameter to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials. Note: KonaKart uses BIRT and is also vulnerable.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/53773 for the current score.
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVEID:CVE-2015-0250
**DESCRIPTION:**Apache Batik could allow a remote attacker to obtain sensitive information. By persuading a victim to open a specially-crafted SVG file, an attacker could exploit this vulnerability to reveal files and obtain sensitive information.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/101614 for the current score.
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVEID:CVE-2017-5662
**DESCRIPTION:**Apache Batik could allow a remote authenticated attacker to obtain sensitive information, caused by an XML external entity (XXE) error when processing XML data. By using a specially-crafted SVG file, a remote attacker could exploit this vulnerability to obtain sensitive information or possibly cause a denial of service.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/125198 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L)
CVEID:CVE-2018-8013
**DESCRIPTION:**Apache Batik could allow a remote attacker to obtain sensitive information, caused by an error when deserializing subclass of AbstractDocument
. An attacker could exploit this vulnerability to reveal files and obtain sensitive information.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/143678 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID:CVE-2019-17566
**DESCRIPTION:**Apache Batik is vulnerable to server-side request forgery, caused by improper input validation by the “xlink:href” attributes. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/183402 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
CVEID:CVE-2020-11987
**DESCRIPTION:**Apache XML Graphics Batik is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to conduct SSRF attack to cause the underlying server to make arbitrary GET requests.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/197372 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVEID:CVE-2009-4269
**DESCRIPTION:**Apache Derby could allow a remote attacker to obtain sensitive information, caused by the reduction of the size of the set of inputs to SHA-1 by the password hash generation algorithm managed by the BUILTIN authentication functionality. By generating hash collisions, a remote attacker could exploit this vulnerability to crack passwords and obtain sensitive information.
CVSS Base score: 2.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/61202 for the current score.
CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)
CVEID:CVE-2021-41033
**DESCRIPTION:**Eclipse Equinox is vulnerable to a man-in-the-middle attack, caused by the use unencrypted HTTP communication in p2 repos. An attacker could exploit this vulnerability to launch a man-in-the-middle attack and gain access to the communication channel between endpoints to alter the local installation, and execute arbitrary code on the system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/209186 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)
Affected Product(s) | Version(s) |
---|---|
ITNM | 4.2 GA through to 4.2.0.15 |
The issue has been Fixed in ITNM 4.2 Fix Pack 16 (i.e. 4.2.0.16). Upgrade ITNM 4.2 to Fix Pack 16 from Fix Central.
4.2.0-TIV-ITNMIP-zLinux-FP0016
None
CPE | Name | Operator | Version |
---|---|---|---|
tivoli network manager ip edition | eq | 4.2.0 |