Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM872BD873063FFAF2EF7288B9566A9CA58451B802A0465ADE67F67B5E43921382
HistoryJul 17, 2020 - 4:51 p.m.

Security Bulletin: IBM Planning Analytics Workspace is affected by security vulnerabilities

2020-07-1716:51:47
www.ibm.com
8

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

JSON

Summary

The Planning Analytics Workspace component of IBM Planning Analytics is affected by multiple vulnerabilities . These have been addressed in IBM Planning Analytics Local v2.0 - Planning Analytics Workspace Release 54.

Vulnerability Details

CVEID:CVE-2020-4527
**DESCRIPTION:**IBM Planning Analytics Administration could allow a remote attacker to obtain sensitive information, caused by the failure to set the Secure flag for the session cookie in TLS mode. By intercepting its transmission within an HTTP session, an attacker could exploit this vulnerability to capture the cookie and obtain sensitive information.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/182631 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2015-6420
**DESCRIPTION:**Serialized-object interfaces in certain Cisco Collaboration and Social Media; Endpoint Clients and Client Software; Network Application, Service, and Acceleration; Network and Content Security Devices; Network Management and Provisioning; Routing and Switching - Enterprise and Service Provider; Unified Computing; Voice and Unified Communications Devices; Video, Streaming, TelePresence, and Transcoding Devices; Wireless; and Cisco Hosted Services products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.
CVSS Base score: 9.8
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2020-4361
**DESCRIPTION:**IBM Planning Analytics Local could allow a remote attacker to obtain sensitive information by disclosing private IP addresses in HTTP responses.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/178766 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

IBM Planning Analytics 2.0

Remediation/Fixes

The recommended solution is to apply the fix as soon as practical.

Download IBM Planning Analytics Local v2.0 - Planning Analytics Workspace Release 54 from Fix Central.

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm planning analytics localeq2.0

Related

openvas 1
veracode 3
nessus 3
osv 1
cve 3
thn 1
github 1
prion 3
cisco 1
cvelist 2
cert 2
ibm 11
mskb 1
impervablog 1
oracle 1
openvas
openvas
Cisco Webex Meetings Server Java Deserialization Vulnerability
2016-09-22 00:00:00
veracode
veracode
Arbitrary Code Execution
2019-03-21 08:10:25
Arbitrary Code Execution
2019-07-08 10:38:22
Potential Remote Code Execution Via Java Object Deserialization
2015-11-09 19:34:22
nessus
nessus
Cisco Security Manager Java Object Deserialization RCE (CSCux34671)
2017-05-02 00:00:00
Cisco Unified Communications Manager Java Object Deserialization RCE (CSCux34835)
2016-10-10 00:00:00
Cisco Prime LAN Management Solution Java Object Deserialization RCE (CSCux34647)
2017-05-02 00:00:00
osv
osv
Insecure Deserialization in Apache Commons Collection
2020-06-15 20:36:20
cve
cve
CVE-2015-6420
2015-12-15 05:59:00
CVE-2020-4361
2020-07-20 14:15:00
CVE-2020-4527
2020-07-20 14:15:00
thn
thn
Google Employees Help Thousands Of Open Source Projects Patch Critical ‘Mad Gadget Bug’
2017-03-02 00:48:00
github
github
Insecure Deserialization in Apache Commons Collection
2020-06-15 20:36:20
prion
prion
Code injection
2015-12-15 05:59:00
Information disclosure
2020-07-20 14:15:00
Information disclosure
2020-07-20 14:15:00
cisco
cisco
Vulnerability in Java Deserialization Affecting Cisco Products
2015-12-09 16:00:00
cvelist
cvelist
CVE-2020-4361
2020-07-17 00:00:00
CVE-2020-4527
2020-07-17 00:00:00
cert
cert
TP-Link EAP Controller lacks RMI authentication and is vulnerable to deserialization attacks
2018-09-26 00:00:00
Apache Commons Collections Java library insecurely deserializes data
2015-11-13 00:00:00
ibm
ibm
Security Bulletin: IBM Sterling Global Mailbox is vulnerable to arbitrary code execution due to Apache Commons Collections [CVE-2015-6420, CVE-2017-15708]
2023-07-21 12:22:34
Security Bulletin: IBM Jazz for Service Management (JazzSM) is affected with multiple vulnerabilities (CVE-2015-4852, CVE-2015-6420, CVE-2017-15708)
2020-10-20 11:33:26
Security Bulletin: IBM Security Verify Governance is vulnerable to arbitrary code execution due to use of Apache Commons Collections (multiple vulnerabilities)
2022-11-22 16:37:00
mskb
mskb
KB5003279 - SQL Server 2016 Service Pack 3 release information
1970-01-01 00:00:00
impervablog
impervablog
Deserialization Attacks Surge Motivated by Illegal Crypto-mining
2018-01-24 17:45:08
oracle
oracle
CPU July 2018
2018-07-17 00:00:00

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

JSON
Related for 872BD873063FFAF2EF7288B9566A9CA58451B802A0465ADE67F67B5E43921382
openvas1veracode3nessus3osv1cve3thn1github1prion3cisco1cvelist2cert2ibm11mskb1impervablog1oracle1