Lucene search

IBM7AD58B9F4231E597DEAC90DDD46087AE523E38BC3CD02FBD737A3CBF01430D81

HistoryDec 09, 2023 - 1:00 a.m.

Security Bulletin: IBM Content Navigator is vulnerable to Server Side Request Forgery leading to Arbitrary File Read due to Oracle Outside In Technology (CVE-2023-35896)

2023-12-0901:00:02

www.ibm.com

ibm content navigator

vulnerability

server side request forgery

arbitrary file read

oracle outside in technology

cve-2023-35896

affected products

remediation

workarounds

6.1 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

12.3%

JSON

Summary

Oracle Outside In Technology is used in some configurations of IBM Content Navigator as part of the document viewer. CVE-2023-35896.

Vulnerability Details

CVEID:CVE-2023-35896
**DESCRIPTION:**IBM Content Navigator is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/259247 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N)

Affected Products and Versions

Remediation/Fixes

Affected Product(s)	Version(s)	Remediation/Fix/Instructions
IBM Content Navigator	3.0.14	Download 3.0.14 IF003 and follow instructions
IBM Content Navigator	3.0.13	Download 3.0.13 IF006 and follow instructions
IBM Content Navigator	3.0.11	Download 3.0.11 IF014 and follow instructions

Workarounds and Mitigations

Customers who do not use Oracle Outside In Technology are not affected.

CPENameOperatorVersion
ibm content navigatoreq3.0.14
ibm content navigatoreq2
ibm content navigatoreq3.0.13
ibm content navigatoreq5
ibm content navigatoreq3.0.11
ibm content navigatoreq13

Name	Operator	Version
ibm content navigator	eq	3.0.14
ibm content navigator	eq	2
ibm content navigator	eq	3.0.13
ibm content navigator	eq	5
ibm content navigator	eq	3.0.11
ibm content navigator	eq	13