8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.006 Low
EPSS
Percentile
78.2%
iText.jar in Tom Sawyer Perspective is vulnerable to XML External Entity used by IBM Tivoli Network Manager (ITNM) IP Edition.
CVEID:CVE-2017-9096
**DESCRIPTION:**iText PDF Library could allow a remote authenticated attacker to obtain sensitive information, caused by an XML external entity (XXE) error when processing XML data. By using a specially-crafted XML file. A remote attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/134520 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Affected Product(s) | Version(s) |
---|---|
ITNM | 4.2 GA through to 4.2.0.16 |
IBM strongly recommends addressing the vulnerability now using the steps provided in the workaround section.
To fix the vulnerability, complete the following steps.
o Take a backup of the $NMGUIHOME/precision_gui/lib/shared_jars/iText.jar file.
o Remove the iText.jar file from the shared_jars directory.
Completing these steps disables the PDF option in the “Save As Image” dialog in Topoviz. You can still select PDF as an output format, but no file is generated. You can generate a PDF by using the browser’s print function, or the Print button on the Topoviz toolbar, but these methods do not have the extra options that are present in the Save As Image dialog.
CPE | Name | Operator | Version |
---|---|---|---|
tivoli network manager ip edition | eq | 4.2.0 |
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.006 Low
EPSS
Percentile
78.2%