Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM996EEF0B348CE9BDA5A48E109FB0FA7885561989D94ACCD2289FE0E0425CE0F9
HistorySep 22, 2022 - 7:03 p.m.

Security Bulletin: XML External Entity Injection (XXE) attack Affects IBM Partner Engagement Manager (CVE-2022-34348)

2022-09-2219:03:49
www.ibm.com
19
ibm
sterling
partner engagement manager
vulnerability
xxe attack
xml
injection
cve-2022-34348
remote attack
sensitive information
memory resources
security bulletin
patch
update

7.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L

0.001 Low

EPSS

Percentile

45.6%

JSON

Summary

IBM Sterling Partner Engagement Manager is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.

Vulnerability Details

CVEID:CVE-2022-34348
**DESCRIPTION:**IBM Sterling Partner Engagement Manager is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.
CVSS Base score: 7.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/230017 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L)

Affected Products and Versions

Affected Product(s) Version(s)
Partner Engagement Manager 2.0

Remediation/Fixes

Product Version Link
Partner Engagement Manager Essentials Edition 6.1.2.6 http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FIBM+Sterling+Partner+Engagement+Manager+Software&fixids=IBM_PEM_Essentials_6.1.2.6&source=SAR
Partner Engagement Manager Standard Edition 6.1.2.6 http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FIBM+Sterling+Partner+Engagement+Manager+Software&fixids=IBM_PEM_Standard_6.1.2.6&source=SAR
Partner Engagement Manager Essentials Edition 6.2.0.4 http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FIBM+Sterling+Partner+Engagement+Manager+Software&fixids=IBM_PEM_Essentials_6.2.0.4&source=SAR
Partner Engagement Manager Standard Edition 6.2.0.4 http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FIBM+Sterling+Partner+Engagement+Manager+Software&fixids=IBM_PEM_Standard_6.2.0.4&source=SAR
Partner Engagement Manager Essentials Edition 6.2.1.1 http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FIBM+Sterling+Partner+Engagement+Manager+Software&fixids=IBM_PEM_Essentials_6.2.1.1&source=SAR
Partner Engagement Manager Standard Edition 6.2.1.1 http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FIBM+Sterling+Partner+Engagement+Manager+Software&fixids=IBM_PEM_Standard_6.2.1.1&source=SAR
Partner Engagement Manager on Cloud / SaaS 22.3.1 us.icr.io/gold/pem:22.3.1

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmpartner_engagement_managerMatch6.1
CPENameOperatorVersion
partner engagement managereq6.1

Related

cve 1
prion 1
cvelist 1
nvd 1
cve
cve
CVE-2022-34348
2022-09-23 18:15:10
prion
prion
Xxe
2022-09-23 18:15:00
cvelist
cvelist
CVE-2022-34348
2022-09-22 00:00:00
nvd
nvd
CVE-2022-34348
2022-09-23 18:15:10

7.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L

0.001 Low

EPSS

Percentile

45.6%

JSON
Related for 996EEF0B348CE9BDA5A48E109FB0FA7885561989D94ACCD2289FE0E0425CE0F9
cve1prion1cvelist1nvd1