Security Bulletin: Security vulnerabilities are identified in WebSphere Application Server where Rational Asset Manager is deployed (CVE-2019-10086 and CVE-2020-4329)

2021-01-04T09:29:23

Description

## Summary In the WebSphere Application Server (WAS) admin console where the Rational Asset Manager (RAM) is deployed, vulnerabilities such as allowing a remote attacker to access the classloader through class property, and an authenticated attacker obtaining sensitive information caused by improper parameter checking are observed. Information about these security vulnerabilities affecting WebSphere Application Server are published in the respective security bulletins. ## Vulnerability Details Refer to the security bulletin(s) listed in the Remediation/Fixes section ## Affected Products and Versions IBM Rational Asset Manager 7.5 .1, 7.5.2.x, 7.5.3.x, and 7.5.4.x. NOTE: Rational Asset Manager 7.5.2 and later versions does not support embedded WebSphere Application Server. ## Remediation/Fixes Refer to the following security bulletin for vulnerability details and information about fixes addressed by IBM WebSphere Application Server (WAS). ** Affected Supporting Product**| ** Affected Supporting Product Security Bulletin** ---|--- IBM WebSphere Application Server Version 7.0, 8.0, 8.5, and 9.0.| [Security Bulletin: Information disclosure in WebSphere Application Server (CVE-2020-4329)](<https://www.ibm.com/support/pages/security-bulletin-information-disclosure-websphere-application-server-cve-2020-4329> "Security Bulletin: Information disclosure in WebSphere Application Server $CVE-2020-4329$" ) [Security Bulletin: WebSphere Application Server is vulnerable to Apache Commons Beanutils (CVE-2019-10086)](<https://www.ibm.com/support/pages/security-bulletin-websphere-application-server-vulnerable-apache-commons-beanutils-cve-2019-10086-0> "Security Bulletin: WebSphere Application Server is vulnerable to Apache Commons Beanutils $CVE-2019-10086$" ) ## Workarounds and Mitigations None ##

Affected Software

CPE Name	Name	Version
	rational asset manager	7.5
	rational asset manager	7.5.1
	rational asset manager	7.5.3.
	rational asset manager	7.5.4.

{"id": "C06037486063080DAF0903578E651F281F08105507F07A61B0292AD4FC96B7DB", "vendorId": null, "type": "ibm", "bulletinFamily": "software", "title": "Security Bulletin: Security vulnerabilities are identified in WebSphere Application Server where Rational Asset Manager is deployed (CVE-2019-10086 and CVE-2020-4329)", "description": "## Summary\n\nIn the WebSphere Application Server (WAS) admin console where the Rational Asset Manager (RAM) is deployed, vulnerabilities such as allowing a remote attacker to access the classloader through class property, and an authenticated attacker obtaining sensitive information caused by improper parameter checking are observed. Information about these security vulnerabilities affecting WebSphere Application Server are published in the respective security bulletins. \n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nIBM Rational Asset Manager 7.5 .1, 7.5.2.x, 7.5.3.x, and 7.5.4.x.\n\nNOTE: Rational Asset Manager 7.5.2 and later versions does not support embedded WebSphere Application Server.\n\n \n\n\n## Remediation/Fixes\n\nRefer to the following security bulletin for vulnerability details and information about fixes addressed by IBM WebSphere Application Server (WAS). \n\n** Affected Supporting Product**| ** Affected Supporting Product Security Bulletin** \n---|--- \nIBM WebSphere Application Server Version 7.0, 8.0, 8.5, and 9.0.| [Security Bulletin: Information disclosure in WebSphere Application Server (CVE-2020-4329)](<https://www.ibm.com/support/pages/security-bulletin-information-disclosure-websphere-application-server-cve-2020-4329> \"Security Bulletin: Information disclosure in WebSphere Application Server \$CVE-2020-4329\$\" ) \n[Security Bulletin: WebSphere Application Server is vulnerable to Apache Commons Beanutils (CVE-2019-10086)](<https://www.ibm.com/support/pages/security-bulletin-websphere-application-server-vulnerable-apache-commons-beanutils-cve-2019-10086-0> \"Security Bulletin: WebSphere Application Server is vulnerable to Apache Commons Beanutils \$CVE-2019-10086\$\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "published": "2021-01-04T09:29:23", "modified": "2021-01-04T09:29:23", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 7.5}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.4}, "href": "https://www.ibm.com/support/pages/node/6395488", "reporter": "IBM", "references": [], "cvelist": ["CVE-2019-10086", "CVE-2020-4329"], "immutableFields": [], "lastseen": "2023-02-27T21:47:44", "viewCount": 12, "enchantments": {"dependencies": {"references": [{"type": "amazon", "idList": ["ALAS2-2020-1395"]}, {"type": "centos", "idList": ["CESA-2020:0194"]}, {"type": "cve", "idList": ["CVE-2019-10086", "CVE-2020-4329"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1896-1:572E2", "DEBIAN:DLA-1896-1:853E6"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2019-10086"]}, {"type": "fedora", "idList": ["FEDORA:EF5B36120D8F", "FEDORA:F015D61278C8"]}, {"type": "github", "idList": ["GHSA-6PHF-73Q6-GH87"]}, {"type": "ibm", "idList": ["02FD10030B8366010758D75673B2286A0CD064A8561853F6F314CF7B7BC8B298", "037DC92C3964B9BE83FE00549FB0CE6C44ACB2D76406400ED57CA4D310EF3538", "03A21E2CEB2AE80B0CB3845788EE2C252B219A2161281A588F3A3FABD346F890", "03BD9C6A634D56977256D0EB02550574DC21A677D8E08EEB57FD8C5F206D469F", "07988475CE9095B9471700FFB4FFB199A58AB32837E3178BE094D53E97B8461A", "0DD7AF43DE97763E0D93D1D019F9D4F482815C909438E3FDD9E285D6B2ED40B7", "0E85F055F69C36F1AFCDA9AA4C7476B24B7826864D94024DCA43C8F828A3D547", "10FBEBB14A30BC73B75E0DF3E1AC14E07BC218A2AAE122217F23444AA2EEB55D", "126E1024546918D07264839DD88F2FF75D58789A0F611D0689966886112B533B", "17179127276D2C8BCC739D66B23A070D5DCF232A120A9E4EF31DA0C49E8077B9", "1C1678518312F18585D48228E2C4D89CBF458CAF1277708839EA38E32D0F11E3", "1EB9F8573A9E928E14652E6C4EA6633663E35B33C744263304C0A5C14EC87569", "204ADCCC258487D6D5F8C848C95DAB38413055F4AFD05DFCF56FD7435CBF7C69", "20FC8D083652BD9620AA16329F2B0D169CF687E1B0F904A9AC013C7517AD365E", "217BB6C17A6FD504F278CE0259F71540873D9ACBEC02EC2F580CED3F0A79FB4A", "21A78502CF868CEFFA6DC5C776E16EE0EDF33BAA9E7F3DE611912CC218BF6C9D", "24C171D2EBFBD69CF6AEEFB17FADCB6350B347E61036097EF3A9343C6459084D", "276311EA26EA41FBAE81DFB3042788416A0F2799192780CD6BCD5F7081C47F5C", "28F8FE772F7744066E89072F94BE119B652D05DADA694784B7CCD72965C551F7", "2B4BFF0D4D521D5012752D32EC9AED8D7B42C9CCDA58A0989CACAC0FE91E3799", "2F2115F5724B651AC6B9F0B28265F93BC7C9AB2AC6ADC0181AFF86004B79A417", "3145AF0C5406567F174CE24AB15ECCCBF1EDAC271CA314F0505020DA0354DFD8", "35774A12657731256610BEB1ACB2AE99C105060354AA560F82DED28AE65A8B24", "376BF79A42FDC2B79EA0ACE3299D7D2BC084C5F6732575256A96FE46F43D836F", "38FAB199DF9F4E39A65615F1E108853EF74C41252303325B3AE91FF543CD105A", "39C354245E58DEA5508935346917841B7B505E810D13B316B0E6615AD25C04D2", "3BEB441D10779A1942BF02B10D6A1555A8433CFB0B2D08C01720323538A45578", "3D04811CD7C9B337157F4E06A7E1B2584D270E7E69B726B8521CEEE31E88AF6A", "3E90D8B117724A689CF205EB148C972A5AC679705260655DC0A260183EE9C99E", "3F0DB6A6B43161E807AC17CE719A18BD26C81F3134F4959AA51E211376F74BD1", "40F7CBCFB58A3B19B3D79CA6DAD7B6DC2BDC641FF8B170D51B354FDEBE613E4B", "41BB6A57FAD3A6133AC798B9A434DFE0BA0E9AC64CD3258AAECCEAD5451AF287", "41CB9666A88AE67D4A0558674B8CFDA62F160B6DDCBA3C10576515447887CF12", "43DA011A37CE03FA64B094E9F5770A93BEF6CF43E03F703E6569EEA76986A4F8", "44F8F51D369D3F744AF193AB2E497189282F22F94B8B3424EA2B099B5580CD94", "451F72C42C9FA5B3638C6F2233F910FC635FE2A09DB2B0F71474AE8603F61D92", "47377382FB42339D4CE97A4452C254F07E69CAE5413DDD356B24FAAA26841F46", "4BFA3A2F692D8FC8DE4F07BCA56AA58679411D74D1AC3CD28957EF6A817C1264", "4C149E6F2A02DE48EF008D908A63161BF93C07DD6B16401AC765C3B64D274497", "4C530226C2C82FCA90A29F26A05A9D0BF640534450027EDE7596BB30563A3845", "4D266A154A3DA31DCA059F3C44F85045C1027D42EEAD68DA8098C2A3E0994AF2", "4F2D82A4F724C8AC105424E03F5FBC319EFED1ECC4C4FC502E3EE79470EB24D9", "4F83742D4D9E3F03A6481F27A21969D4333962D309ACFDC2D174BF09D63F0F8A", "51C64898345F327DD93881C52DC0BCDB22915CDD412C72A65BE394B7A650FE83", "51D185DB29AE6E4FAD71119D872DA0F52814A6C17A59AD1AF9B79D0668C33FBB", "54E686FBB2E60A0BDEAB59EFECEB36D61C77A784661FD44124BD8864158EE317", "567625FF8DF333D5C563E40EDFFF9516FF13EA40EAFE9A2E68635850284A1A44", "5918C016B20B5ACA60A7D119FD2C32C94F0627AB911B7E60826658D357145A38", "5A2425933E89E2C50FE1F3B1903983FFF1089EEE55483682712FA0DB9D6A700B", "5B63337BED8D1831437D9E9CDA230341D96CD4E72BF44B64671DD96E2E83D164", "5ED570DDC2DC18EDBE3A6F896450F75892C392B6E12D967BD6C8F6E5EB0809E5", "6319DF1B256EC58709172407AF4A25DE3588354F1CDF0FE760752C81DC6DA075", "63C0560C61FE9A9777F6402C4988E794A31F66C8118AFA944D2596065F5D0454", "6460D41996E43CB75276902519E15745959E2FFD675E2119EAA294B305A37593", "65AC33072AF8ABBAA1E90D22A6164663D0FCF7967CC7051A7C6B601CEA97BF53", "661EF6C7BBF8AD251228707DD8EDA4B08D9235BFBAA6C9BCAC49A5F4CECDE3DD", "693658DCE0F371748D69D63EAD5B48AAC0350649F64CFEB925F5CA6BD3E2A97C", "69C147CB642B39AA3250947FC1868ED542CC9C2C3BED4BA821CAD9BA0F178E84", "6A0D9421C284C29C699BD48273C99B57CF4E764A76760B5A163F68BA4E03AA6F", "6AF6A75AB47A85BD264ED489D020A601CD49E58065CEDF72F8DBC129C0B69CAB", "6BA96613CB9284A12C5C7BA5B1AF346C52C407C3784639F8A63CA5F6E90563C2", "705D1AA8DC1EFC5A25852EAE8F70114AEDB618E07145B676E2B502DEDBEBA92D", "717EA7B7E291CEAF2956470CE508AB38C2BF8E63133D28CF594496671ADDDEE9", "7463232BD9391B70113F6779133DEEDF82C2F9FB5E2F9C9C4D0363B332E72184", "757696CF6B25D861147516A0233F27AA8ED63CE44EC3D079E6265FF809DBCB35", "766578EB2C7BE8A81F504B4989C22C31CF802D03B94649D36D4712AB13F788F0", "790AEE8158E5072311EE0B1D8C1CACC2CAE27CA8C7B75F39AD990B40790CFB8C", "7AABFFD7EDE8A56FF3E63014903A8533BF0F07389F0D81F452A4D9AFF5CEB90B", "7BE38BC9D9063F34BE9B8AEC73F5518E1D7B0EC8F35109DB2E64EBA48061A6DB", "7C687A5C4DA5F147CCB651C24229AA31D311EBB13BB2DF3508D7A6085EF3DD7D", "7E0744D5936EDC5F018B0850D801B665D388060D6A81B986BC7AD81C9A78C0EE", "7E120392C6B27EF023444674C7B2E2BB0AF1032844B5941C3D340385D2344B0E", "7F1C012CC641EF0CCDD9BC749B665F263D22200F5DA78D27932DB5F6F0D9433E", "7F8C5B286D46F7C07594D83B9BEAA8FFE7516BE4B7A585530E218AC7EB0CDC1F", "80F63C4DBA4692F1399B8419C02ECEE29E4B32D85EDDE77D136EB81CBB859B9C", "8275C3B123771E721297381D0F66E5CCB99C5D5EA14F12413C6DF109D950665B", "845034F004D5E87FCBDDBF4DF19CBEEE3865967F212423D2B39A2634A34BBB84", "86BC382413D13FEC49BBCF5FC0129F8B83C058E0C0CDD0CFC599911E284C4FA7", "86D81D4FF071D7D46BB506C67EA7CE93C082F0DB66B01AA7474850EEE2C3CBD5", "889AEF340E86A1FF8AE75CD323791BF93186173C5DCEC257F97767066CFAFD1D", "891E5F0424A107621BE648D5F1576C607F7834B3BC114E0F945E5010BA70A9F3", "89289E9A98285CD79B0D3F1F025DD0EAA5E6629F7ADF333B9EF34FE380BACA0A", "89889D01EFEB2906CEB101B24500260E255984420DF03BB57D83997D812CEE0A", "8EFB8A654D3536DD4481500A7680D75E0B2A04D2F63C829CAE130B12A35D7ED3", "90CF485116A952ADEC5B5A85E722DF33D1556D18AE9C7D1F5699712F4EB9F66A", "918EC90267CF1760ED229DE75BD576095419855F5087F191C08D402ADF7504D9", "92627E627D103D4038024BCFD810986107E14AF89DB4426C430D1DE63EBADE27", "929D837DD9C3EA90C20AF84418A0A2BB1D61BFBA6F69A8B90EB5479898403F5C", "9548F3BD922C19C55E9391D4BACA8EA98682FB5BCA396DD8812365F4C30867A0", "9568E59FBC9F48E0CA633A74AB406265AC01F813ACFBBF2AC3F70CCAF62213C1", "958D3B4A5A0C1FD39CFF6BC608C4A1729951FA8F9C647E5838B8F638A26061A5", "9597A8DA413DEA047F25252B086CCCDA7543FCBC7042D730228D872AF048DEA1", "99126F9F2548EE2300C741A1541AAF9CD2E67330BBEEA99D1CCE5C23EA09B155", "9BB137A2C15EDDA2FAD8099BF31EC43072DCB5CFA903CDC8CF3248DC677FE923", "9BBB794BF1DCF8660F8460268754D1A7E827EF26EEF07D631316C9EF5FC3CBDD", "9D474CFA28D8B0313A49C799D05622C172F9872EA0EAE8F12773DAC4E1DEF768", "A07C9B7C7D5952E2BBD4C0874BEC859D77892E662D993098C91BDFD5CD4FF6ED", "A0C17B7FA23DBF1DC4FACFA7A00FFB9DEE0554664F67073C8C966AAD62F6C865", "A1EF9298714E6ED876FC447E879AE4AEF24B3BAE418A5BF1CCD587D6F1B0DF70", "A1EFACF2069DC3D9306569DB75291E800141DD6232DEB3E7928DC96CA216C1CC", "A2924B4DE05BD5A9DE02BD29915404543555C0C4AAE9016A5C570D5EE0CB6EA6", "A5681F729F28C250FF23C2C5EBBDC80244D85B4A5269BFE579C846E02438C673", "A801C0134AF3AE69F120F9758CA8985C815F0984281741FDA5A847A1ACC66AFF", "A8B1328EDAD509E1D76C6016AE0790BC81F18C61790542709096AA8E663BAEC6", "AAB63CA611C91C086C2D2BC4EDEABC95ECFE557C5518B51036200FBBD8C29B34", "AC5DE01326AFA37CBA7F799502684F57AF3D9271EC49734648DB7797522AF2E8", "ACDFCA5E93908C1CC35E54B4EF854ED57BCD6CD2641A3590CD2418E8BCA917EA", "AE9FCFFF0398E144DDAD797967457B662931846E8FEE6194A2655AA5B730BCBC", "B2A50DF3EC1594620E8A37ADF929CB730D5142281927CA3F2AE3C4F02F910D8B", "B2B33DC1DCAEC07D9F9164E0AD1390F5BFB58C4EE2BDF74B976625E39A9F5AF0", "B2EA2FBA4D280351FEA7F9EC1921C448D44F4D9EC613590A87A15467F7D34153", "B7B1A8DAB1A897FBFE8F37F46B5A9BAA67F914F715D69E265E2F4E7D8FBB16AF", "C22253825FA485019FC06565D7E7D6C4103E0C10B6510212859354833FAEB242", "C22CC0C04AA48102CB2EBEF5AD691FDAD7FE1267768536619BBE66401698B809", "C43D2CB156B7BD39FC113EAD22568306F95463D3E29CC3A697EB085F142533BB", "C60289D204614CD6F487491D985F924542C108BE5DDA61A136A99A5BF2EE3F15", "C6780300E3EFD7F6811EECD650C04D87FD052560A5F1FA302479AFF8AA4F7FDC", "C9DE4845305DF0F83378929053ED892F37959591039ECF2D78BF547B6F112585", "CB6124223B6F8216BA9E92EAD6DAFC187E51AC4BEC28594EAEF38B28FCD5792F", "CE7B09FDAB4AD52C4D2DF48D876D11F77AB8D075D2126DF86BCFAB3FD1F6D522", "CFD032C6816AA09BC4BFE927259D2C7496159BC447A779769DEB0DECC4952A56", "D10B18EC28A032EFEE6049343ECB3633CC65AE8BDF915EC68181989AB9170F54", "D414FED16B358AD7FE6B00E67C7AA1DB43FD19DDFB901B5F7ABA9F0E20BEB6EC", "D5FC186AFDC475BF1011609D51599D9F4054E10263C52218648C49E2D757DF13", "D794EA27CA7E3FF8825CDCEFF3439F08F1C4C2B94C2E54C22629BF94087D371F", "D9172969D61CF2C2B1320CAD15CAF5A2806FCA9580D5A6E5A2E2C98FF12E2386", "DABA7DED974B2398189D6CD437940649E019A14178C8AB32F290EB35C8669636", "DC05F94C20E54530B22A0F7C5D47B16BEB79F796391043B6D8D2F3934DA6C247", "DD1E4FBBDF4FA000EDF2E286A05EA634208DB4377C6B455CD048AACE3C0B8023", "DD34B9BC3B107A1DC572E91FE164C11C4D3B050CFD5A53884C66DA680566DEB4", "DED899C681C4F01F658F5349E77058BDF8C51E88FADBC17AC63AAD856B4CADE5", "E01AE27864F5D21E9DE4882755AFD601FD4EE9EEF1B77AD913AFA5BAC1F8BF77", "E2B86254D720126A86E0D868B69F73304F67BBA828605033D214DA145B7078F4", "E362EBCBEB18984C3F95A2E9B16F0D6BCB101E27F50F764417CF1574FE5064FC", "E5BBCEF719E615994F1B258C759E10E101CC12EE74BBCBA1AFE726D5AFF29509", "E652AD074D4537242E4F6F6865F5497FE3BCB4D68389AAE0D3EB706D9D1DD1ED", "E8347ACAF81B4BEE7BCA21CC0C47E2063445B19E9FA4E4431CEF5FAB5FF7AE86", "E8E3D041384B3A1C50DFC8E8DD6B7415911290515C88A2C292DAF367F018B0E7", "EA52924E34BCC16950981552A3FA767720FFB0ABD2C4348121C16E9BA6BD4C80", "ED45B3D03432EA991E20FCFB7B9FD0CD25D3E1B834197F239D900E5975F863A2", "EE8D3A0FEFA67706787A5BC66641D09B2650AEC307F61637154D7B7341BF2EB2", "EF0B8ABDDF0182AD0AB63DBD4F3EA0B3769B57CF195F94A299C8DFE53DDE410A", "F171D1A128ED9F033A8E4EB7F107F3B0F58ABA4074ACD771E59F004AAC676A0A", "F4188E3B827097B5726FE571691C7D8BDE2707668C61436452DE873879AB6FA6", "F9ED99C3F4B2D868A3826BA34135EFCC7EF1978329C535488F23E6CF98DA913D", "FE6A60EA653FEE6F655EBB8429BCB70E7D54726EC0055ECB440856BF66B419CA"]}, {"type": "mageia", "idList": ["MGASA-2019-0399"]}, {"type": "nessus", "idList": ["AL2_ALAS-2020-1395.NASL", "CENTOS_RHSA-2020-0194.NASL", "DEBIAN_DLA-1896.NASL", "FEDORA_2019-79B5790566.NASL", "FEDORA_2019-BCAD44B5D6.NASL", "MYSQL_ENTERPRISE_MONITOR_8_0_23.NASL", "NEWSTART_CGSL_NS-SA-2020-0100_APACHE-COMMONS-BEANUTILS.NASL", "OPENSUSE-2019-2058.NASL", "ORACLELINUX_ELSA-2020-0194.NASL", "ORACLE_E-BUSINESS_CPU_APR_2021.NASL", "ORACLE_E-BUSINESS_CPU_JAN_2022.NASL", "ORACLE_E-BUSINESS_CPU_OCT_2022.NASL", "ORACLE_ENTERPRISE_MANAGER_CPU_APR_2021.NASL", "ORACLE_OATS_CPU_JUL_2021.NASL", "ORACLE_PRIMAVERA_GATEWAY_CPU_APR_2020.NASL", "ORACLE_PRIMAVERA_UNIFIER_CPU_JAN_2021.NASL", "ORACLE_RDBMS_CPU_JUL_2020.NASL", "ORACLE_WEBCENTER_PORTAL_CPU_JAN_2021.NASL", "ORACLE_WEBLOGIC_SERVER_CPU_APR_2021.NASL", "ORACLE_WEBLOGIC_SERVER_CPU_JAN_2021.NASL", "REDHAT-RHSA-2020-0057.NASL", "REDHAT-RHSA-2020-0194.NASL", "REDHAT-RHSA-2020-0804.NASL", "REDHAT-RHSA-2020-0805.NASL", "REDHAT-RHSA-2020-0806.NASL", "REDHAT-RHSA-2020-1308.NASL", "REDHAT-RHSA-2020-1454.NASL", "REDHAT-RHSA-2020-2740.NASL", "SL_20200121_APACHE_COMMONS_BEANUTILS_ON_SL7_X.NASL", "WEBSPHERE_1115085.NASL", "WEBSPHERE_6201862.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310852686", "OPENVAS:1361412562310876994", "OPENVAS:1361412562310877152", "OPENVAS:1361412562310883171", "OPENVAS:1361412562310891896"]}, {"type": "oracle", "idList": ["ORACLE:CPUAPR2020", "ORACLE:CPUAPR2021", "ORACLE:CPUAPR2022", "ORACLE:CPUJAN2020", "ORACLE:CPUJAN2021", "ORACLE:CPUJAN2022", "ORACLE:CPUJUL2020", "ORACLE:CPUJUL2021", "ORACLE:CPUJUL2022", "ORACLE:CPUOCT2021", "ORACLE:CPUOCT2022"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-0194"]}, {"type": "osv", "idList": ["OSV:DLA-1896-1", "OSV:GHSA-6PHF-73Q6-GH87"]}, {"type": "redhat", "idList": ["RHSA-2019:4317", "RHSA-2020:0057", "RHSA-2020:0194", "RHSA-2020:0804", "RHSA-2020:0805", "RHSA-2020:0806", "RHSA-2020:0811", "RHSA-2020:0899", "RHSA-2020:0951", "RHSA-2020:1308", "RHSA-2020:1454", "RHSA-2020:2054", "RHSA-2020:2067", "RHSA-2020:2321", "RHSA-2020:2333", "RHSA-2020:2619", "RHSA-2020:2740", "RHSA-2020:3192", "RHSA-2020:3197", "RHSA-2020:3247", "RHSA-2020:3587"]}, {"type": "redhatcve", "idList": ["RH:CVE-2019-10086"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:2058-1"]}, {"type": "symantec", "idList": ["SMNTC-109915"]}, {"type": "ubuntu", "idList": ["USN-4766-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2019-10086"]}, {"type": "veracode", "idList": ["VERACODE:21314"]}]}, "score": {"value": 1.7, "vector": "NONE"}, "backreferences": {"references": [{"type": "amazon", "idList": ["ALAS2-2020-1395"]}, {"type": "centos", "idList": ["CESA-2020:0194"]}, {"type": "cve", "idList": ["CVE-2019-10086"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1896-1:572E2"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2019-10086"]}, {"type": "fedora", "idList": ["FEDORA:EF5B36120D8F", "FEDORA:F015D61278C8"]}, {"type": "github", "idList": ["GHSA-6PHF-73Q6-GH87"]}, {"type": "ibm", "idList": ["17179127276D2C8BCC739D66B23A070D5DCF232A120A9E4EF31DA0C49E8077B9", "217BB6C17A6FD504F278CE0259F71540873D9ACBEC02EC2F580CED3F0A79FB4A", "80F63C4DBA4692F1399B8419C02ECEE29E4B32D85EDDE77D136EB81CBB859B9C", "CE7B09FDAB4AD52C4D2DF48D876D11F77AB8D075D2126DF86BCFAB3FD1F6D522", "DD34B9BC3B107A1DC572E91FE164C11C4D3B050CFD5A53884C66DA680566DEB4", "ED45B3D03432EA991E20FCFB7B9FD0CD25D3E1B834197F239D900E5975F863A2"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/IBM-WAS-CVE-2020-4329/"]}, {"type": "nessus", "idList": ["CENTOS_RHSA-2020-0194.NASL", "DEBIAN_DLA-1896.NASL", "ORACLELINUX_ELSA-2020-0194.NASL", "ORACLE_E-BUSINESS_CPU_APR_2021.NASL", "ORACLE_WEBLOGIC_SERVER_CPU_APR_2021.NASL", "REDHAT-RHSA-2020-0194.NASL", "SL_20200121_APACHE_COMMONS_BEANUTILS_ON_SL7_X.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310852686", "OPENVAS:1361412562310877152", "OPENVAS:1361412562310883171", "OPENVAS:1361412562310891896"]}, {"type": "oracle", "idList": ["ORACLE:CPUJAN2022"]}, {"type": "redhat", "idList": ["RHSA-2020:0057"]}, {"type": "redhatcve", "idList": ["RH:CVE-2019-10086"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:2058-1"]}, {"type": "symantec", "idList": ["SMNTC-111284"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2019-10086"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2019-10086", "epss": "0.003110000", "percentile": "0.653670000", "modified": "2023-03-17"}, {"cve": "CVE-2020-4329", "epss": "0.000760000", "percentile": "0.307000000", "modified": "2023-03-18"}], "vulnersScore": 1.7}, "_state": {"dependencies": 1677534497, "score": 1684013406, "affected_software_major_version": 1677535305, "epss": 1679178262}, "_internal": {"score_hash": "d79178ca3a83433ea3a17110dbf95707"}, "affectedSoftware": [{"version": "7.5", "operator": "eq", "name": "rational asset manager"}, {"version": "7.5.1", "operator": "eq", "name": "rational asset manager"}, {"version": "7.5.3.", "operator": "eq", "name": "rational asset manager"}, {"version": "7.5.4.", "operator": "eq", "name": "rational asset manager"}]}

{"fedora": [{"lastseen": "2021-07-28T14:46:51", "description": "The scope of this package is to create a package of Java utility methods for accessing and modifying the properties of arbitrary JavaBeans. No dependencies outside of the JDK are required, so the use of this package is very lightweight. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "baseScore": 7.3, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.4}, "published": "2019-11-13T09:58:19", "type": "fedora", "title": "[SECURITY] Fedora 30 Update: apache-commons-beanutils-1.9.4-1.fc30", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2019-11-13T09:58:19", "id": "FEDORA:EF5B36120D8F", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JIUYSL2RSIWZVNSUIXJTIFPIPIF6OAIO/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T14:46:51", "description": "The scope of this package is to create a package of Java utility methods for accessing and modifying the properties of arbitrary JavaBeans. No dependencies outside of the JDK are required, so the use of this package is very lightweight. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "baseScore": 7.3, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.4}, "published": "2019-11-13T10:08:09", "type": "fedora", "title": "[SECURITY] Fedora 31 Update: apache-commons-beanutils-1.9.4-1.fc31", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2019-11-13T10:08:09", "id": "FEDORA:F015D61278C8", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4APPGLBWMFAS4WHNLR4LIJ65DJGPV7TF/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "ibm": [{"lastseen": "2023-02-24T01:39:14", "description": "## Summary\n\nWebSphere Application Server is shipped as a component of IBM WebSphere Application Server Patterns. Information about security vulnerabilities affecting WebSphere Application Server have been published in a security bulletin. \n\n## Vulnerability Details\n\nRefer to the security bulletins(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**\n\n| **Affected Supporting Product and Version** \n---|--- \nWebSphere Application Server Patterns, all versions| WebSphere Application Server: \n\n * 9.0\n * 8.5\n * 8.0 \n \n \n\n\n## Remediation/Fixes\n\nPlease consult the following security bulletin for vulnerability details and information about fixes \n\n * [WebSphere Application Server is vulnerable to Apache Commons Beanutils (CVE-2019-10086)](<https://www.ibm.com/support/pages/node/1115085> \"WebSphere Application Server is vulnerable to Apache Commons Beanutils \$CVE-2019-10086\$\" )\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2019-12-20T08:47:33", "type": "ibm", "title": "Security Bulletin: WebSphere Application Server bundled with IBM WebSphere Application Server Patterns is vulnerable to Apache Commons Beanutils (CVE-2019-10086)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2019-12-20T08:47:33", "id": "38FAB199DF9F4E39A65615F1E108853EF74C41252303325B3AE91FF543CD105A", "href": "https://www.ibm.com/support/pages/node/1119267", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-27T21:55:03", "description": "## Summary\n\nWebsphere Application Server (WAS) is shipped as a component of Tivoli Netcool/OMNIbus WebGUI. Information about a security vulnerability affecting WAS has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)| Affected Supporting Product and Version \n---|--- \nWebGUI 8.1.0 GA and FP| Websphere Application Server 8.5 \n \n\n\n## Remediation/Fixes\n\nPlease consult the security bulletin [WebSphere Application Server is vulnerable to Apache Commons Beanutils (CVE-2019-10086)](<https://www.ibm.com/support/pages/node/1115085> \"WebSphere Application Server is vulnerable to Apache Commons Beanutils \$CVE-2019-10086\$\" ) for vulnerability details and information about fixes.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2020-06-10T03:22:51", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with Tivoli Netcool/OMNIbus WebGUI (CVE-2019-10086)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2020-06-10T03:22:51", "id": "2B4BFF0D4D521D5012752D32EC9AED8D7B42C9CCDA58A0989CACAC0FE91E3799", "href": "https://www.ibm.com/support/pages/node/6221966", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-27T21:49:51", "description": "## Summary\n\nIBM WebSphere Application Server is shipped with or is a required product for IBM Tivoli Netcool Configuration Manager version 6.4.1 and 6.4.2. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nITNCM| 6.4.1 \nITNCM| 6.4.2 \n \n \n\n\n## Remediation/Fixes\n\nAffected Product(s)| Version(s)| Remediation \n---|---|--- \nITNCM| 6.4.1| [WebSphere Application Server is vulnerable to Apache Commons Beanutils](<https://www.ibm.com/support/pages/node/1115085> \"WebSphere Application Server is vulnerable to Apache Commons Beanutils\" ) See sections For V7.0.0.0 through 7.0.0.45 \nITNCM| 6.4.2| [WebSphere Application Server is vulnerable to Apache Commons Beanutils](<https://www.ibm.com/support/pages/node/1115085> \"WebSphere Application Server is vulnerable to Apache Commons Beanutils\" ) See sections For V8.5.0.0 through 8.5.5.16 \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2020-10-14T22:31:49", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server, which is shipped with or required product for IBM Tivoli Netcool Configuration Manager (CVE-2019-10086)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2019-10086"], "modified": "2020-10-14T22:31:49", "id": "D9172969D61CF2C2B1320CAD15CAF5A2806FCA9580D5A6E5A2E2C98FF12E2386", "href": "https://www.ibm.com/support/pages/node/6348230", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-02-24T01:39:10", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM Case Manager. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletins(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nPrincipal Product and Versions\n\n| Affected Supporting Product and Versions \n---|--- \n \nIBM Case Manager 5.1.1\n\nIBM Case Manager 5.2.0 \nIBM Case Manager 5.2.1 \nIBM Case Manager 5.3.0 \nIBM Case Manager 5.3.1 \nIBM Case Manager 5.3.2 \nIBM Case Manager 5.3.3\n\n| \n\nIBM WebSphere Application Server 7.0\n\nIBM WebSphere Application Server 8.0\n\nIBM WebSphere Application Server 8.5 \nIBM WebSphere Application Server 9.0 \n \n \n\n\n## Remediation/Fixes\n\nPlease consult the security bulletin [Security Bulletin: WebSphere Application Server is vulnerable to Apache Commons Beanutils (CVE-2019-10086)](<https://www.ibm.com/support/pages/node/1115085> \"Security Bulletin: WebSphere Application Server is vulnerable to Apache Commons Beanutils \$CVE-2019-10086\$\" ) for vulnerability details and information about fixes.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2019-12-20T08:47:33", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Case Manager (CVE-2019-10086)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2019-12-20T08:47:33", "id": "D5FC186AFDC475BF1011609D51599D9F4054E10263C52218648C49E2D757DF13", "href": "https://www.ibm.com/support/pages/node/1120173", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-24T05:46:44", "description": "## Summary\n\nWebSphere Application Server is shipped with WebSphere Remote Server. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nRefer to the security bulletins(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\n**Affected Product(s)**| **Version(s)** \n---|--- \nIBM WebSphere Remote Server - Product Family| All \n \n\n\n## Remediation/Fixes\n\nRefer to the following security bulletins for vulnerability details and information about fixes addressed by WebSphere Application Server which is shipped with WebSphere Remote Server. \n\nPrincipal Product and Version(s)\n\n| \n\nAffected Supporting Product and Version\n\n| \n\nAffected Supporting Product Security Bulletin \n \n---|---|--- \n \nWebSphere Remote Server \n9.0, 8.5, 7.0\n\n| \n\nWebSphere Application Server 9.0, 8.5, 8.0, 7.0\n\n| \n\n[WebSphere Application Server is vulnerable to Apache Commons Beanutils (CVE-2019-10086)](<https://www.ibm.com/support/pages/node/1115085>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2020-01-24T15:47:19", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with WebSphere Remote Server (CVE-2019-10086)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2020-01-24T15:47:19", "id": "7F1C012CC641EF0CCDD9BC749B665F263D22200F5DA78D27932DB5F6F0D9433E", "href": "https://www.ibm.com/support/pages/node/1283440", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-24T01:40:04", "description": "## Summary\n\nIBM WebSphere Application Server (WAS) is shipped as a component of IBM Rational ClearCase. Information about security vulnerabilities affecting WAS have been published in security bulletins.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section.\n\n## Affected Products and Versions\n\nIBM Rational ClearCase, ClearCase Remote Client (CCRC) WAN server component.\n\n**Versions 8.0.0.x, 8.0.1.x, 9.0.0.x, 9.0.1.x:**\n\n * These vulnerabilities only applies to the CCRC WAN server component, and only for certain levels of WebSphere Application Server.\n\n## Remediation/Fixes\n\nRefer to the following security bulletin(s) for vulnerability details and information about fixes addressed by IBM WebSphere Application Server (WAS) which is shipped with IBM Rational ClearCase.\n\n**Principal Product and Version(s)** | **Affected Supporting Product and Version** | **Affected Supporting Product Security Bulletin** \n---|---|--- \nIBM Rational ClearCase, versions 8.0.0.x, 8.0.1.x, 9.0.0.x, 9.0.1.x | IBM WebSphere Application Server version 7.0, 8.0, 8.5, and 9.0. | \n\n[Security Bulletin: WebSphere Application Server is vulnerable to Apache Commons Beanutils (CVE-2019-10086)](<https://www.ibm.com/support/pages/node/1115085>) \n \n**ClearCase Versions**\n\n| \n\n**Applying the fix** \n \n---|--- \n8.0.0.x, 8.0.1.x, 9.0.0.x, 9.0.1.x | \n\n 1. Determine the WAS version used by your CCRC WAN server. Navigate to the CCRC profile directory (either the profile you specified when installing ClearCase, or `<ccase-home>/common/ccrcprofile`), then execute the script: `bin/versionInfo.sh `(UNIX) or `bin\\versionInfo.bat `(Windows). The output includes a section \"IBM WebSphere Application Server\". Make note of the version listed in this section. Check your installed version of IBM WebSphere Application Server against this bulletin's list of vulnerable versions.\n 2. Identify the latest available fixes (per the bulletin(s) listed above) for the version of WAS used for CCRC WAN server.\n 3. Apply the appropriate WebSphere Application Server fix directly to your CCRC WAN server host. No ClearCase-specific steps are necessary. \n \n_For 8.0.x and earlier releases, IBM recommends upgrading to a fixed, supported version/release/platform of the product._\n\n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2019-12-03T21:16:37", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Rational ClearCase (CVE-2019-10086)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2019-12-03T21:16:37", "id": "5A2425933E89E2C50FE1F3B1903983FFF1089EEE55483682712FA0DB9D6A700B", "href": "https://www.ibm.com/support/pages/node/1119387", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-24T01:40:02", "description": "## Summary\n\nIBM WebSphere Application Server (WAS) is used by the IBM Rational ClearQuest server and web components. Information about a security vulnerability affecting WAS has been published in a security bulletin. \n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section.\n\n## Affected Products and Versions\n\nIBM Rational ClearQuest, ClearQuest CM Server component.\n\n**Versions 8.0.0.x, 8.0.1.x, 9.0.0.x, 9.0.1.x:**\n\nThis vulnerability only applies to the server component, and only for certain levels of WebSphere Application Server.\n\n## Remediation/Fixes\n\nRefer to the following security bulletin for vulnerability details and information about fixes addressed by IBM WebSphere Application Server (WAS), which is shipped with IBM Rational ClearQuest.\n\n**Principal Product and Version(s)** | **Affected Supporting Product and Version** | **Affected Supporting Product Security Bulletin** \n---|---|--- \nIBM Rational ClearQuest, versions 8.0.0.x, 8.0.1.x, 9.0.0.x, 9.0.1.x | IBM WebSphere Application Server version 7.0, 8.0, 8.5, and 9.0. | \n\n[Security Bulletin: WebSphere Application Server is vulnerable to Apache Commons Beanutils (CVE-2019-10086)](<https://www.ibm.com/support/pages/node/1115085>) \n \n**ClearQuest Versions**\n\n| \n\n**Applying the fix** \n \n---|--- \n8.0.0.x \n8.0.1.x \n9.0.0.x \n9.0.1.x | \n\n 1. Determine the WAS version used by your CM server. Navigate to the CM profile directory (either the profile you specified when installing ClearQuest, or `<clearquest-home>/cqweb/cqwebprofile`), then execute the script: `bin/versionInfo.sh `(UNIX) or `bin\\versionInfo.bat `(Windows). The output includes a section \"IBM WebSphere Application Server\". Make note of the version listed in this section.\n 2. Identify the latest available fix (per the bulletin listed above) for the version of WAS used for CM server.\n 3. Apply the appropriate WebSphere Application Server fix directly to your CM server host. No ClearQuest-specific steps are necessary. \n \n_For 8.0.x, 7.0.x, 7.1.x and earlier releases, IBM recommends upgrading to a fixed, supported version/release/platform of the product._\n\n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2019-12-10T02:23:50", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server which is used by IBM Rational ClearQuest (CVE-2019-10086)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2019-12-10T02:23:50", "id": "07988475CE9095B9471700FFB4FFB199A58AB32837E3178BE094D53E97B8461A", "href": "https://www.ibm.com/support/pages/node/1125219", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-24T01:40:44", "description": "## Summary\n\nFix is available for vulnerability in Apache Commons Beanutils affecting Tivoli Netcool/OMNIbus WebGUI (CVE-2019-10086).\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2019-10086](<https://vulners.com/cve/CVE-2019-10086>) \n**DESCRIPTION:** Apache Commons Beanutils could allow a remote attacker to gain unauthorized access to the system, caused by the failure to suppresses the class property in bean introspection by default. An attacker could exploit this vulnerability to gain unauthorized access to the classloader. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/166353> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n## Affected Products and Versions\n\nTivoli Netcool/OMNIbus WebGUI 8.1.0\n\n## Remediation/Fixes\n\nProduct | VRMF | APAR | Remediation/First Fix \n---|---|---|--- \nTivoli Netcool/OMNIbus WebGUI | 8.1.0 | IJ18864 | Apply [Fix Pack 17](<https://www.ibm.com/support/pages/node/958815>) \n \nFor unsupported versions IBM recommends upgrading to a fixed, supported version of the product.\n\n## Workarounds and Mitigations\n\nUpgrade to [WebGUI 8.1.0 Fix Pack 17](<https://www.ibm.com/support/pages/node/958815>)\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2019-10-23T02:41:56", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Commons Beanutils affect Tivoli Netcool/OMNIbus WebGUI (CVE-2019-10086)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2019-10-23T02:41:56", "id": "4D266A154A3DA31DCA059F3C44F85045C1027D42EEAD68DA8098C2A3E0994AF2", "href": "https://www.ibm.com/support/pages/node/1096114", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-24T05:43:45", "description": "## Summary\n\nIBM C\u00faram Social Program Management uses the Apache Commons Beanutils library, for which there is a publicly known vulnerability. The vulnerability could allow a remote attacker to gain unauthorized access to the system, caused by the failure to suppresses the class property in bean introspection by default. An attacker could exploit this vulnerability to gain unauthorized access to the classloader.\n\n## Vulnerability Details\n\n**CVEID: **[CVE-2019-10086](<https://vulners.com/cve/CVE-2019-10086>) \n**DESCRIPTION: **Apache Commons Beanutils could allow a remote attacker to gain unauthorized access to the system, caused by the failure to suppresses the class property in bean introspection by default. An attacker could exploit this vulnerability to gain unauthorized access to the classloader. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/166353](<https://exchange.xforce.ibmcloud.com/vulnerabilities/166353>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s) | Version(s) \n---|--- \nCuram SPM | 7.0.5.0 - 7.0.8 \nCuram SPM | 7.0.0.0 - 7.0.4.4 \nCuram SPM | 6.2.0.0 - 6.2.0.6 \nCuram SPM | 6.1.0.0 - 6.1.1.6 \nCuram SPM | 6.0.5.0 - 6.0.5.10 \n \n## Remediation/Fixes\n\n_Product_ | _VRMF_ | _Remediation/First Fix_ \n---|---|--- \nC\u00faram SPM | \n\n7.0.9\n\n| Visit IBM Fix Central and upgrade to [7.0.9](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Smarter%20Cities&product=ibm/Other+software/Curam+Social+Program+Management&release=7.0.9.0_RP&platform=All&function=all>) or a subsequent 7.0.9 release. \nC\u00faram SPM | \n\n7.0.4.4\n\n| Visit IBM Fix Central and upgrade to [7.0.4.4_iFix1](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Smarter%20Cities&product=ibm/Other+software/Curam+Social+Program+Management&release=7.0.4.4&platform=All&function=all>) or a subsequent 7.0.4.4 release. \nC\u00faram SPM | \n\n6.2.0.6\n\n| Visit IBM Fix Central and upgrade to [6.2.0.6_iFix4](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Smarter%20Cities&product=ibm/Other+software/Curam+Social+Program+Management&release=6.2.0.6&platform=All&function=all> \"6.2.0.6_iFix4\" ) or a subsequent 6.2.0.6 release. \nC\u00faram SPM | \n\n6.1.1.6\n\n| Visit IBM Fix Central and upgrade to [6.1.1.6_iFix4](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Smarter%20Cities&product=ibm/Other+software/Curam+Social+Program+Management&release=6.1.1.6&platform=All&function=all> \"6.1.1.6_iFix4\" ) or a subsequent 6.1.1.6 release. \nC\u00faram SPM | 6.0.5.10 | Visit IBM Fix Central and upgrade to [6.0.5.10_iFix5](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Smarter%20Cities&product=ibm/Other+software/Curam+Social+Program+Management&release=6.0.5.10&platform=All&function=all> \"6.0.5.10_iFix5\" ) or a subsequent 6.0.5.10 release. \n \n## Workarounds and Mitigations\n\nFor information about all other versions, contact IBM C\u00faram Social Program Management customer support.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2020-03-05T12:02:12", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Commons Beanutils library affect IBM C\u00faram Social Program Management (CVE-2019-10086)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2020-03-05T12:02:12", "id": "891E5F0424A107621BE648D5F1576C607F7834B3BC114E0F945E5010BA70A9F3", "href": "https://www.ibm.com/support/pages/node/5691476", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-23T21:40:40", "description": "## Summary\n\nFinancial Transaction Manager for Check Services (FTM CHK) for Multi-Platform has addressed the following vulnerability. A potential vulnerability in the Apache Commons Beanutils module could allow unauthorized access to the classloader. \n\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2019-10086](<https://vulners.com/cve/CVE-2019-10086>) \n**DESCRIPTION:** Apache Commons Beanutils could allow a remote attacker to gain unauthorized access to the system, caused by the failure to suppresses the class property in bean introspection by default. An attacker could exploit this vulnerability to gain unauthorized access to the classloader. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/166353> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n## Affected Products and Versions\n\nFTM CHK v3.0.0.0 - 3.0.0.15, v3.0.2.0 - 3.0.2.1, v3.0.5.0 - 3.0.5.4\n\n## Remediation/Fixes\n\n_Product_\n\n| \n\n_VRMF_\n\n| \n\n_APAR_\n\n| \n\n_Remediation/First Fix_ \n \n---|---|---|--- \nFTM CHK | 3.0.0.0 - 3.0.0.15 | PH16876 | [3.0.0.15-FTM-Check-MP-iFix0018](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=Financial%2BOperations&product=ibm/Other+software/Financial+Transaction+Manager&release=All&platform=All&function=fixId&fixids=3.0.0.15-FTM-Check-MP-iFix0018&includeSupersedes=0&source=fc>) \nFTM CHK | 3.0.2.0 - 3.0.2.1 | PH16876 | [3.0.2.1-FTM-Check-MP-iFix0020](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Financial%2BOperations&product=ibm/Other+software/Financial+Transaction+Manager&release=All&platform=All&function=fixId&fixids=3.0.2.1-FTM-Check-MP-iFix0020&includeSupersedes=0&source=fc>) \nFTM CHK | 3.0.5.0 - 3.0.5.4 | PH16876 | [3.0.5.4-FTM-Check-MP-iFix0005](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Financial%2BOperations&product=ibm/Other+software/Financial+Transaction+Manager&release=All&platform=All&function=fixId&fixids=3.0.5.4-FTM-Check-MP-iFix0005&includeSupersedes=0&source=fc>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2020-03-18T18:37:57", "type": "ibm", "title": "Security Bulletin: Financial Transaction Manager for Check Services is affected by a potential validation vulnerability (CVE-2019-10086)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2020-03-18T18:37:57", "id": "4C149E6F2A02DE48EF008D908A63161BF93C07DD6B16401AC765C3B64D274497", "href": "https://www.ibm.com/support/pages/node/1073868", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-25T01:38:37", "description": "## Summary\n\nIBM Security Guardium has addressed the following vulnerability\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-10086](<https://vulners.com/cve/CVE-2019-10086>) \n** DESCRIPTION: **In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/166353](<https://exchange.xforce.ibmcloud.com/vulnerabilities/166353>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Security Guardium| 10.5 \nIBM Security Guardium| 10.6 \nIBM Security Guardium| 11.0 \n \n## Remediation/Fixes\n\n**Product**\n\n| \n\n**VRMF**\n\n| \n\n**Remediation / First Fix** \n \n---|---|--- \nIBM Security Guardium| 10.5| | [http://www.ibm.com/support/fixcentral/swg/quickorder?parent=IBM%20Secur\u2026](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=IBM%20Security&product=ibm/Information+Management/InfoSphere+Guardium&release=10.0&platform=All&function=fixId&fixids=SqlGuard_10.0p535_Bundle_Jul-16-2020&includeSupersedes=0&source=fc>) \n--- \nIBM Security Guardium| 10.6| [http://www.ibm.com/support/fixcentral/swg/quickorder?parent=IBM%20Secur\u2026](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=IBM%20Security&product=ibm/Information+Management/InfoSphere+Guardium&release=10.0&platform=All&function=fixId&fixids=SqlGuard_10.0p635_Bundle_Dec-24-2019&includeSupersedes=0&source=fc>) \nIBM Security Guardium| 11.0| [http://www.ibm.com/support/fixcentral/swg/quickorder?parent=IBM%20Secur\u2026](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=IBM%20Security&product=ibm/Information+Management/InfoSphere+Guardium&release=11.0&platform=All&function=fixId&fixids=SqlGuard_11.0p20_Bundle_Mar-04-2020&includeSupersedes=0&source=fc>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2020-10-06T20:51:11", "type": "ibm", "title": "Security Bulletin: IBM Security Guardium is affected by an Apache Commons vulnerability", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2020-10-06T20:51:11", "id": "DD34B9BC3B107A1DC572E91FE164C11C4D3B050CFD5A53884C66DA680566DEB4", "href": "https://www.ibm.com/support/pages/node/6027916", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-24T05:46:41", "description": "## Summary\n\nWebSphere Application Server is shipped with IBM Tivoli Access Manager for e-business. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletins(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s) | Version(s) \n---|--- \nIBM Tivoli Access Manager for e-business | 6.1.1.x \nIBM Tivoli Access Manager for e-business | 6.1.x \n \n## Remediation/Fixes\n\nRefer to the following security bulletins for vulnerability details and information about fixes addressed by WebSphere Application Server which is shipped with IBM Tivoli Access Manager for e-business \n\n[WebSphere Application Server is vulnerable to Apache Commons Beanutils (CVE-2019-10086)](<https://www.ibm.com/support/pages/node/1115085> \"WebSphere Application Server is vulnerable to Apache Commons Beanutils \$CVE-2019-10086\$\" )\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2020-01-27T21:57:25", "type": "ibm", "title": "Security Bulletin: A Security Vulnerability Has Been Identified In WebSphere Application Server shipped with IBM Tivoli Access Manager for e-business (CVE-2019-10086)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2020-01-27T21:57:25", "id": "2F2115F5724B651AC6B9F0B28265F93BC7C9AB2AC6ADC0181AFF86004B79A417", "href": "https://www.ibm.com/support/pages/node/1284040", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-27T21:50:14", "description": "## Summary\n\nIBM Security Guardium has fixed this vulnerability \n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-10086](<https://vulners.com/cve/CVE-2019-10086>) \n** DESCRIPTION: **Apache Commons Beanutils could allow a remote attacker to gain unauthorized access to the system, caused by the failure to suppresses the class property in bean introspection by default. An attacker could exploit this vulnerability to gain unauthorized access to the classloader. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/166353](<https://exchange.xforce.ibmcloud.com/vulnerabilities/166353>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Security Guardium| 11.1 \n \n\n\n## Remediation/Fixes\n\nProduct| Versions| Fix \n---|---|--- \nIBM Security Guardium| 11.1| [http://www.ibm.com/support/fixcentral/swg/quickorder?parent=IBM%20Security&product=ibm/Information+Management/InfoSphere+Guardium&release=11.0&platform=All&function=fixId&fixids=SqlGuard_11.0p120_Bundle_Sep-27-2020&includeSupersedes=0&source=fc](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=IBM%20Security&product=ibm/Information+Management/InfoSphere+Guardium&release=11.0&platform=All&function=fixId&fixids=SqlGuard_11.0p120_Bundle_Sep-27-2020&includeSupersedes=0&source=fc>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2020-10-06T16:30:13", "type": "ibm", "title": "Security Bulletin: IBM Security Guardium is affected by an Apache commons beanutils 1.9.2 library vulnerability", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2020-10-06T16:30:13", "id": "17179127276D2C8BCC739D66B23A070D5DCF232A120A9E4EF31DA0C49E8077B9", "href": "https://www.ibm.com/support/pages/node/6343291", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-24T01:40:06", "description": "## Summary\n\nIBM WebSphere Application Server is shipped with IBM Security Access Manager for Enterprise Single Sign-On. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nIBM Security Access Manager for Enterprise Single Sign-On 8.2.0, 8.2.1, 8.2.2\n\n## Remediation/Fixes\n\nRefer to the following security bulletins for vulnerability details and information about fixes addressed by IBM WebSphere Application Server which is shipped with IBM Security Access Manager for Enterprise Single Sign-On.\n\n**Principal Product and Version(s)** | **Affected Supporting Product and Version** | **Affected Supporting Product Security Bulletin** \n---|---|--- \nIBM Security Access Manager for Enterprise Single Sign-On 8.2.0 | IBM WebSphere Application Server 7.0 | [Security Bulletin: WebSphere Application Server is vulnerable to Apache Commons Beanutils (CVE-2019-10086)](<https://www.ibm.com/support/pages/node/1115085>) \nIBM Security Access Manager for Enterprise Single Sign-On 8.2.1 | IBM WebSphere Application Server 7.0, 8.5 | [Security Bulletin: WebSphere Application Server is vulnerable to Apache Commons Beanutils (CVE-2019-10086)](<https://www.ibm.com/support/pages/node/1115085>) \nIBM Security Access Manager for Enterprise Single Sign-On 8.2.2 | IBM WebSphere Application Server 8.5 | [Security Bulletin: WebSphere Application Server is vulnerable to Apache Commons Beanutils (CVE-2019-10086)](<https://www.ibm.com/support/pages/node/1115085>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2019-12-02T16:31:24", "type": "ibm", "title": "Security Bulletin: A Security Vulnerability Has Been Identified In IBM WebSphere Application Server shipped with IBM Security Access Manager for Enterprise Single Sign-On (CVE-2019-10086)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2019-12-02T16:31:24", "id": "3E90D8B117724A689CF205EB148C972A5AC679705260655DC0A260183EE9C99E", "href": "https://www.ibm.com/support/pages/node/1116183", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-27T17:47:05", "description": "## Summary\n\nIBM WebSphere Application Server is shipped with IBM Tivoli Network Manager versions 3.9 and 4.1.1; IBM WebSphere Application Server is a required product for IBM Tivoli Network Manager version 4.2. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletins(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nITNM| 4.2 \nITNM| 4.1.1 \nITNM| 3.9 \n \n\n\n## Remediation/Fixes\n\nAffected Product(s)| Version(s)| Remediation \n---|---|--- \nITNM| 4.2| [WebSphere Application Server is vulnerable to Apache Commons Beanutils](<https://www.ibm.com/support/pages/security-bulletin-websphere-application-server-vulnerable-apache-commons-beanutils-cve-2019-10086-0> \"WebSphere Application Server is vulnerable to Apache Commons Beanutils\" )\n\nPlease see section: **For V8.5.0.0 through 8.5.5.16:** \n \nITNM| 4.1.1| \n\n\n[WebSphere Application Server is vulnerable to Apache Commons Beanutils](<https://www.ibm.com/support/pages/security-bulletin-websphere-application-server-vulnerable-apache-commons-beanutils-cve-2019-10086-0> \"WebSphere Application Server is vulnerable to Apache Commons Beanutils\" )\n\nPlease see section: **For V7.0.0.0 through 7.0.0.45:** \n \nITNM| 3.9| \n\n[WebSphere Application Server is vulnerable to Apache Commons Beanutils](<https://www.ibm.com/support/pages/security-bulletin-websphere-application-server-vulnerable-apache-commons-beanutils-cve-2019-10086-0> \"WebSphere Application Server is vulnerable to Apache Commons Beanutils\" )\n\nPlease see section: **For V7.0.0.0 through 7.0.0.45:** \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2020-03-24T12:04:50", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server, which is shipped with, or a required product for, IBM Tivoli Network Manager (CVE-2019-10086)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2020-03-24T12:04:50", "id": "E652AD074D4537242E4F6F6865F5497FE3BCB4D68389AAE0D3EB706D9D1DD1ED", "href": "https://www.ibm.com/support/pages/node/6116530", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-27T17:46:52", "description": "## Summary\n\nIBM Spectrum Protect Plus is affected by a vulnerability in Apache Commons Beanutils that can result in a remote attacker gaining unauthorized access to the system. \n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-10086](<https://vulners.com/cve/CVE-2019-10086>) \n** DESCRIPTION: **Apache Commons Beanutils could allow a remote attacker to gain unauthorized access to the system, caused by the failure to suppresses the class property in bean introspection by default. An attacker could exploit this vulnerability to gain unauthorized access to the classloader. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/166353](<https://exchange.xforce.ibmcloud.com/vulnerabilities/166353>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n## Affected Products and Versions\n\n**Affected Product(s)**| **Version(s)** \n---|--- \nIBM Spectrum Protect Plus| 10.1.0-10.1.5 \n \n## Remediation/Fixes\n\n**Spectrum Protect** \n**Plus Release**| **First Fixing** \n**VRM Level**| **Platform**| **Link to Fix** \n---|---|---|--- \n10.1| 10.1.5.2199| Linux| <https://www.ibm.com/support/pages/node/1135035> \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2020-03-30T22:19:50", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Commons Beanutils affects IBM Spectrum Protect Plus (CVE-2019-10086)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2020-03-30T22:19:50", "id": "40F7CBCFB58A3B19B3D79CA6DAD7B6DC2BDC641FF8B170D51B354FDEBE613E4B", "href": "https://www.ibm.com/support/pages/node/6114232", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-24T05:43:37", "description": "## Summary\n\nThere is a vulnerability in Apache Commons Beanutils that is used by WebSphere Application Server. This has been addressed. \n\n## Vulnerability Details\n\nRefer to the security bulletins(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nJazz for Service Management| 1.1.3 - 1.1.3.5 \n \n\n\n## Remediation/Fixes\n\n**Principal Product and Version(s)**| **Affected Supporting Product and Version**| **Affected Supporting Product Security Bulletin** \n---|---|--- \nJazz for Service Management version 1.1.3 - 1.1.3.5| Websphere Application Server Full Profile 8.5.5 | [Security Bulletin: WebSphere Application Server is vulnerable to Apache Commons Beanutils (CVE-2019-10086)](<https://www.ibm.com/support/pages/node/1115085> \"Security Bulletin: WebSphere Application Server is vulnerable to Apache Commons Beanutils \$CVE-2019-10086\$\" ) \n \n## Workarounds and Mitigations\n\nPlease refer to WAS interim fix.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2020-03-09T17:49:22", "type": "ibm", "title": "Security Bulletin: WebSphere Application Server shipped with Jazz for Service Management (JazzSM) is vulnerable to Apache Commons Beanutils (CVE-2019-10086)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2020-03-09T17:49:22", "id": "10FBEBB14A30BC73B75E0DF3E1AC14E07BC218A2AAE122217F23444AA2EEB55D", "href": "https://www.ibm.com/support/pages/node/5694309", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-24T05:43:43", "description": "## Summary\n\nIn Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-10086](<https://vulners.com/cve/CVE-2019-10086>) \n** DESCRIPTION: **Apache Commons Beanutils could allow a remote attacker to gain unauthorized access to the system, caused by the failure to suppresses the class property in bean introspection by default. An attacker could exploit this vulnerability to gain unauthorized access to the classloader. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/166353](<https://exchange.xforce.ibmcloud.com/vulnerabilities/166353>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nAtlas eDiscovery Process Management | 6.0.x \n \n\n\n## Remediation/Fixes\n\n**_ Product_**\n\n| \n\n**_ VRMF_**\n\n| \n\n**_ Remediation/First Fix_** \n \n---|---|--- \n \nAtlas eDiscovery Process Management\n\n| \n\n6.0.x\n\n| \n\nApply Fix Pack **6.0.3.9**, available from [Fix Central](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Atlas%20eDiscovery&product=ibm/Information+Management/Atlas+eDiscovery+Process+Management&release=6.0.3.9&platform=All&function=all>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2020-03-06T06:28:13", "type": "ibm", "title": "Security Bulletin: Atlas eDiscovery Process Management is affected by a vulnerable to Apache Commons Beanutils in WebSphere Application Server", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2020-03-06T06:28:13", "id": "41BB6A57FAD3A6133AC798B9A434DFE0BA0E9AC64CD3258AAECCEAD5451AF287", "href": "https://www.ibm.com/support/pages/node/5693133", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-27T17:47:22", "description": "## Summary\n\nIBM Tivoli Netcool Impact has addressed the following Apache Commons Beanutils vulnerability.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-10086](<https://vulners.com/cve/CVE-2019-10086>) \n** DESCRIPTION: **Apache Commons Beanutils could allow a remote attacker to gain unauthorized access to the system, caused by the failure to suppresses the class property in bean introspection by default. An attacker could exploit this vulnerability to gain unauthorized access to the classloader. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/166353](<https://exchange.xforce.ibmcloud.com/vulnerabilities/166353>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Tivoli Netcool Impact 7.1.0| 7.1.0.0~7.1.0.17 \n \n\n\n## Remediation/Fixes\n\n| _VRMF_| _APAR_| _Remediation/First Fix_ \n---|---|---|--- \nIBM Tivoli Netcool Impact 7.1.0| _7.1.0.18_| _IJ20163_| [IBM Tivoli Netcool Impact 7.1.0 FP18](<https://www.ibm.com/support/pages/node/1288570> \"\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2020-03-23T12:41:17", "type": "ibm", "title": "Security Bulletin: IBM Tivoli Netcool Impact is affected by an Apache Commons Beanutils vulnerability (CVE-2019-10086)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2020-03-23T12:41:17", "id": "E5BBCEF719E615994F1B258C759E10E101CC12EE74BBCBA1AFE726D5AFF29509", "href": "https://www.ibm.com/support/pages/node/6115930", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-27T21:50:56", "description": "## Summary\n\nThere is a vulnerability in Apache Commons Beanutils that is used by WebSphere Application Server. This has been addressed. \n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nTivoli Common Reporting| 3.1.3 \n \n\n\n## Remediation/Fixes\n\nThe recommended solution is to apply the fix for versions listed as soon as practical. \n\n**Jazz for Service Management Releases \n**| **Remediation** \n---|--- \n1.1.3 - 1.1.3.7| \n\n[Security Bulletin: WebSphere Application Server is vulnerable to Apache Commons Beanutils (CVE-2019-10086)](<https://www.ibm.com/support/pages/node/1115085> \"Security Bulletin: WebSphere Application Server is vulnerable to Apache Commons Beanutils \$CVE-2019-10086\$\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2020-09-15T15:14:57", "type": "ibm", "title": "Security Bulletin: IBM Tivoli Common Reporting: TCR, a part of IBM Jazz for Service Management (JazzSM) is vulnerable to Apache Commons Beanutils (CVE-2019-10086)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2020-09-15T15:14:57", "id": "705D1AA8DC1EFC5A25852EAE8F70114AEDB618E07145B676E2B502DEDBEBA92D", "href": "https://www.ibm.com/support/pages/node/6333019", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-27T21:52:19", "description": "## Summary\n\nApache Commons Beanutils could allow a remote attacker to gain unauthorized access to the system, caused by the failure to suppresses the class property in bean introspection by default. An attacker could exploit this vulnerability to gain unauthorized access to the classloader.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-10086](<https://vulners.com/cve/CVE-2019-10086>) \n** DESCRIPTION: **Apache Commons Beanutils could allow a remote attacker to gain unauthorized access to the system, caused by the failure to suppresses the class property in bean introspection by default. An attacker could exploit this vulnerability to gain unauthorized access to the classloader. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/166353](<https://exchange.xforce.ibmcloud.com/vulnerabilities/166353>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nContent Collector for Email| 4.0.0 \nContent Collector for Email| 4.0.1 \n \n\n\n## Remediation/Fixes\n\n**Product**| **VRM**| **Remediation** \n---|---|--- \nContent Collector for Email| 4.0.0, 4.0.1| Use Content Collector for Email 4.0.1.9 [Interim Fix IF006](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.9-IBM-ICC-IF006&source=SAR>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2020-08-06T17:01:19", "type": "ibm", "title": "Security Bulletin: Content Collector for Email is affected by a embedded WebSphere Application Server is vulnerable to Apache Commons beanutils", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2020-08-06T17:01:19", "id": "C22253825FA485019FC06565D7E7D6C4103E0C10B6510212859354833FAEB242", "href": "https://www.ibm.com/support/pages/node/6257133", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-24T05:45:29", "description": "## Summary\n\nThere is a vulnerability in Apache Commons Beanutils that is used by WebSphere Application Server in IBM Cloud. \n\n## Vulnerability Details\n\n**CVEID: **[CVE-2019-10086](<https://vulners.com/cve/CVE-2019-10086>) \n**DESCRIPTION: **In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/166353](<https://exchange.xforce.ibmcloud.com/vulnerabilities/166353>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n## Affected Products and Versions\n\nThis vulnerability affect the following versions and releases of WebSphere Application Server and bundling products.\n\n * 9.0\n * 8.5\n\n## Remediation/Fixes\n\nTo patch new and existing service instances, refer to the IBM WebSphere Application Server bulletin listed below \n\n * [WebSphere Application Server is vulnerable to Apache Commons Beanutils (CVE-2019-10086)](<https://www.ibm.com/support/pages/node/1115085> \"WebSphere Application Server is vulnerable to Apache Commons Beanutils \$CVE-2019-10086\$\" )\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2020-02-06T20:02:43", "type": "ibm", "title": "Security Bulletin: WebSphere Application Server is vulnerable to Apache Commons Beanutils in IBM Cloud (CVE-2019-10086)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2020-02-06T20:02:43", "id": "E8E3D041384B3A1C50DFC8E8DD6B7415911290515C88A2C292DAF367F018B0E7", "href": "https://www.ibm.com/support/pages/node/1489029", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-27T21:52:16", "description": "## Summary\n\nWebSphere Application Server is shipped as a component of IBM Security Key Lifecycle Manager (SKLM). Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s) | Version(s) \n---|--- \nIBM Security Key Lifecycle Manager | 4.0 \nIBM Security Key Lifecycle Manager | 3.0.1 \nIBM Security Key Lifecycle Manager | 3.0 \nIBM Security Key Lifecycle Manager | 2.7 \n \n## Remediation/Fixes\n\nPlease consult the [Security Bulletin: WebSphere Application Server is vulnerable to Apache Commons Beanutils (CVE-2019-10086)](<https://www.ibm.com/support/pages/node/1115085> \"Security Bulletin: WebSphere Application Server is vulnerable to Apache Commons Beanutils \$CVE-2019-10086\$\" ) for vulnerability details and information about fixes.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2020-08-06T18:27:22", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Security Key Lifecycle Manager (SKLM) (CVE-2019-10086)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2020-08-06T18:27:22", "id": "6BA96613CB9284A12C5C7BA5B1AF346C52C407C3784639F8A63CA5F6E90563C2", "href": "https://www.ibm.com/support/pages/node/6257153", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-27T21:54:36", "description": "## Summary\n\nWebsphere Application Server is shipped with Predictive Customer Intelligence. Information about a security vulnerability affecting Websphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes\n\n## Affected Products and Versions\n\nPredictive Customer Intelligence versions 1.0, 1.0.1, 1.1, 1.1.1, 1.1.2\n\n \n\n\n## Remediation/Fixes\n\nPrincipal Product and Version(s) | Affected Supporting Product and Version| Affected Supporting Product Security Bulletin \n---|---|--- \nPredictive Customer Intelligence 1.0 and 1.0.1| Websphere Application Server 8.5.5| [Security Bulletin: WebSphere Application Server is vulnerable to Apache Commons Beanutils (CVE-2019-10086)](<https://www.ibm.com/support/pages/security-bulletin-websphere-application-server-vulnerable-apache-commons-beanutils-cve-2019-10086-0> \"Security Bulletin: WebSphere Application Server is vulnerable to Apache Commons Beanutils \$CVE-2019-10086\$\" ) \nPredictive Customer Intelligence 1.1 and 1.1.1| Websphere Application Server 8.5.5.6| [Security Bulletin: WebSphere Application Server is vulnerable to Apache Commons Beanutils (CVE-2019-10086)](<https://www.ibm.com/support/pages/security-bulletin-websphere-application-server-vulnerable-apache-commons-beanutils-cve-2019-10086-0> \"Security Bulletin: WebSphere Application Server is vulnerable to Apache Commons Beanutils \$CVE-2019-10086\$\" ) \nPredictive Customer Intelligence 1.1.2| Websphere Application Server 9.0.0.4| [Security Bulletin: WebSphere Application Server is vulnerable to Apache Commons Beanutils (CVE-2019-10086)](<https://www.ibm.com/support/pages/security-bulletin-websphere-application-server-vulnerable-apache-commons-beanutils-cve-2019-10086-0> \"Security Bulletin: WebSphere Application Server is vulnerable to Apache Commons Beanutils \$CVE-2019-10086\$\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2020-06-23T19:24:17", "type": "ibm", "title": "Security Bulletin: A Security Vulnerability has been Identified in Websphere Application Server Shipped with Predictive Customer Intelligence (CVE-2019-10086)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2020-06-23T19:24:17", "id": "037DC92C3964B9BE83FE00549FB0CE6C44ACB2D76406400ED57CA4D310EF3538", "href": "https://www.ibm.com/support/pages/node/6237856", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-27T21:55:02", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM Tivoli Business Service Manager. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\n_Principal Product and Version(s)_| _Affected Supporting Product and Version_ \n---|--- \nIBM Tivoli Business Service Manager 6.1.x| IBM WebSphere Application Server 7.0 \nIBM Tivoli Business Service Manager 6.2.0| IBM WebSphere Application Server 8.5 \n \n \n\n\n## Remediation/Fixes\n\n_Principal Product and Version(s)_| _Affected Supporting Product and Version_ \n---|--- \nIBM Tivoli Business Service Manager 6.1.x| [Security Bulletin: WebSphere Application Server is vulnerable to Apache Commons Beanutils (CVE-2019-10086)](<https://www.ibm.com/support/pages/node/1115085> \"Security Bulletin: WebSphere Application Server is vulnerable to Apache Commons Beanutils \$CVE-2019-10086\$\" )\n\nFor IBM WebSphere Application Server V7.0.0.0 through 7.0.0.45: \nThis vulnerability requires IBM WebSphere Application Server fix pack levels as required by interim fix and then apply Interim Fix [PH17557](<https://www.ibm.com/support/pages/node/1110453> \"PH17557\" ). \nFor instruction on how to upgrade IBM WebSphere Application Server see the latest 6.1.* Tivoli Business Service Manager Fix Pack readme. \n \nIBM Tivoli Business Service Manager 6.2.0| \n\n[Security Bulletin: WebSphere Application Server is vulnerable to Apache Commons Beanutils (CVE-2019-10086)](<https://www.ibm.com/support/pages/node/1115085> \"Security Bulletin: WebSphere Application Server is vulnerable to Apache Commons Beanutils \$CVE-2019-10086\$\" )\n\nFor IBM WebSphere Application Server V8.5.0.0 through 8.5.5.16: \nThis vulnerability requires IBM WebSphere Application Server fix pack levels as required by interim fix and then apply Interim Fix [PH17557](<https://www.ibm.com/support/pages/node/1110453> \"PH17557\" ). \n\\--OR-- \nApply Fix Pack [8.5.5.17](<https://www.ibm.com/support/pages/node/3444555> \"\" ). \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2020-06-11T09:51:13", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Tivoli Business Service Manager (CVE-2019-10086)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2020-06-11T09:51:13", "id": "DC05F94C20E54530B22A0F7C5D47B16BEB79F796391043B6D8D2F3934DA6C247", "href": "https://www.ibm.com/support/pages/node/6226068", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-23T21:40:48", "description": "## Summary\n\nIBM Financial Transaction Manager for Corporate Payment Services (FTM CPS) for Multi-Platform has addressed the following vulnerability. A potential vulnerability in the Apache Commons Beanutils module could allow unauthorized access to the classloader.\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2019-10086](<https://vulners.com/cve/CVE-2019-10086>) \n**DESCRIPTION:** Apache Commons Beanutils could allow a remote attacker to gain unauthorized access to the system, caused by the failure to suppresses the class property in bean introspection by default. An attacker could exploit this vulnerability to gain unauthorized access to the classloader. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/166353> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n## Affected Products and Versions\n\nv3.0.2.0 - 3.0.2.1, v3.2.1.0\n\n## Remediation/Fixes\n\n_Product_\n\n| \n\n_VRMF_\n\n| \n\n_APAR_\n\n| \n\n_Remediation/First Fix_ \n \n---|---|---|--- \nFTM CPS | 3.0.2.0 - 3.0.2.1 | PH16877 | [3.0.2.1-FTM-CPS-MP-iFix0020](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Financial%2BOperations&product=ibm/Other+software/Financial+Transaction+Manager&release=All&platform=All&function=fixId&fixids=3.0.2.1-FTM-CPS-MP-iFix0020&includeSupersedes=0&source=fc>) \nFTM CPS | 3.2.1.0 | PH16877 | [_3.2.1.0-FTM-CPS-MP-iFix0002_](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Financial%2BOperations&product=ibm/Other+software/Financial+Transaction+Manager&release=All&platform=All&function=fixId&fixids=3.2.1.0-FTM-CPS-MP-iFix0002&includeSupersedes=0&source=fc>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2020-02-21T17:52:58", "type": "ibm", "title": "Security Bulletin: Financial Transaction Manager for Corporate Payment Services is affected by a potential validation vulnerability (CVE-2019-10086)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2020-02-21T17:52:58", "id": "7E120392C6B27EF023444674C7B2E2BB0AF1032844B5941C3D340385D2344B0E", "href": "https://www.ibm.com/support/pages/node/1073870", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-24T01:37:31", "description": "## Summary\n\nA vulnerability in Apache Commons BeanUtils that is used by IBM InfoSphere Information Server was addressed. \n\n## Vulnerability Details\n\n**CVEID:** _[CVE-2019-10086](<https://vulners.com/cve/CVE-2019-10086>)_ \n**DESCRIPTION:** Apache Commons Beanutils could allow a remote attacker to gain unauthorized access to the system, caused by the failure to suppresses the class property in bean introspection by default. An attacker could exploit this vulnerability to gain unauthorized access to the classloader. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/166353>_ for more information \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n\n\n## Affected Products and Versions\n\nThe following product, running on all supported platforms, is affected: \nIBM InfoSphere Information Server : versions 11.3, 11.5, 11.7 \nIBM InfoSphere Information Server on Cloud : versions 11.5, 11.7\n\n## Remediation/Fixes\n\n_Product_\n\n| _VRMF_ | _APAR_ | _Remediation/First Fix_ \n---|---|---|--- \nInfoSphere Information Server, Information Server on Cloud | 11.7 | _[JR61754](<http://www.ibm.com/support/docview.wss?uid=swg1JR61754>)_ | \\--Apply InfoSphere Information Server version [_11.7.1.0_](<https://www.ibm.com/support/docview.wss?uid=ibm10878310>) \n\\--Apply InfoSphere Information Server _[11.7.1.1](<https://www.ibm.com/support/pages/node/6209196>)_ \n \n \nInfoSphere Information Server, Information Server on Cloud | 11.5 | _[JR61754](<http://www.ibm.com/support/docview.wss?uid=swg1JR61754>)_ | \\--Apply InfoSphere Information Server version [_11.5.0.2_](<http://www.ibm.com/support/docview.wss?uid=swg24043666>) \n\\--Apply InfoSphere Information Server [_11.5.0.2 Service Pack 6_](<https://www-01.ibm.com/support/docview.wss?uid=ibm10957521>) \n\\--Apply InfoSphere _[Information Server Framework Security patch](<http://www.ibm.com/support/fixcentral/swg/quickorder?&product=ibm/Information+Management/IBM+InfoSphere+Information+Server&function=fixId&fixids=is11502_isf_ru13_services_engine_client_multi>)_ \nInfoSphere Information Server | 11.3 | _[JR61754](<http://www.ibm.com/support/docview.wss?uid=swg1JR61754>)_ | \\--Upgrade to a new release where the issue has been addressed \n \n**Contact Technical Support:**\n\nIn the United States and Canada dial **1-800-IBM-SERV** \nView the support [contacts for other countries](<http://www.ibm.com/planetwide/>) outside of the United States. \nElectronically [open a Service Request](<http://www.ibm.com/software/support/probsub.html>) with Information Server Technical Support.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2020-05-18T23:48:46", "type": "ibm", "title": "Security Bulletin: IBM InfoSphere Information Server is affected by a vulnerability in Apache Commons BeanUtils CVE-2019-10086", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2020-05-18T23:48:46", "id": "39C354245E58DEA5508935346917841B7B505E810D13B316B0E6615AD25C04D2", "href": "https://www.ibm.com/support/pages/node/1116699", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-24T01:39:12", "description": "## Summary\n\nWebSphere Application Server is shipped as a component of WebSphere Service Registry and Repository. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletins(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| \n\nAffected Supporting Product and Version \n \n---|--- \n \nWebSphere Service Registry and Repository V8.5\n\n| \n\nWebSphere Application Server V8.5.5 \n \nWebSphere Service Registry and Repository V8.0\n\n| \n\nWebSphere Application Server V8.0 \n \n \n\n\n## Remediation/Fixes\n\nRefer to the following security bulletin for vulnerability details and information about fixes: \n\n * [Security Bulletin: WebSphere Application Server is vulnerable to Apache Commons Beanutils (CVE-2019-10086)](<https://www.ibm.com/support/pages/node/1115085> \"Security Bulletin: WebSphere Application Server is vulnerable to Apache Commons Beanutils \$CVE-2019-10086\$\" )\n\nNote the following Flash before upgrading WebSphere Application Server:\n\n * [WebSphere Service Registry and Repository: Read First before upgrading to WebSphere Application Server V8.5.5 Fix Pack 14](<http://www.ibm.com/support/docview.wss?uid=ibm10738013>)\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2019-12-20T08:47:33", "type": "ibm", "title": "Security Bulletin: Security vulnerability has been identified in WebSphere Application Server shipped with WebSphere Service Registry and Repository (CVE-2019-10086)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2019-12-20T08:47:33", "id": "766578EB2C7BE8A81F504B4989C22C31CF802D03B94649D36D4712AB13F788F0", "href": "https://www.ibm.com/support/pages/node/1120095", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-24T05:43:27", "description": "## Summary\n\nThere is a vulnerability in Apache Commons Beanutils that is used by IBM TNPM Wireline . This has been addressed. \n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-10086](<https://vulners.com/cve/CVE-2019-10086>) \n** DESCRIPTION: **Apache Commons Beanutils could allow a remote attacker to gain unauthorized access to the system, caused by the failure to suppresses the class property in bean introspection by default. An attacker could exploit this vulnerability to gain unauthorized access to the classloader. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/166353](<https://exchange.xforce.ibmcloud.com/vulnerabilities/166353>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nTNPM| 1.4.0 \nTNPM| 1.4.1 \nTNPM| 1.4.2 \nTNPM| 1.4.4 \nTNPM| 1.4.3 \n \n\n\n## Remediation/Fixes\n\n * **For TNPM Wireline 1.4.0**** **** **\nApply TNPM Wireline DataView interim fix [IF0066 ](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FNetcool+Performance+Manager&fixids=1.4.0.0-TIV-TNPM-IF0066&source=SAR> \"IF0066\" )or later\n\n * **For TNPM Wireline 1.4.1**** **\n\nApply TNPM Wireline DataView interim fix [IF0034](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FNetcool+Performance+Manager&fixids=1.4.1.0-TIV-TNPM-IF0034&source=SAR> \"IF0034\" ) or later \n\n\n * **For TNPM Wireline 1.4.2**\n\n** **Apply TNPM Wireline DataView interim fix [IF0025](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FNetcool+Performance+Manager&fixids=1.4.2.0-TIV-TNPM-IF0025&source=SAR> \"IF0025\" ) or later\n\n * **For TNPM Wireline 1.4.3**\n\n** **Apply TNPM Wireline DataView interim fix [IF0018](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FNetcool+Performance+Manager&fixids=1.4.3.0-TIV-TNPM-IF0018&source=SAR> \"IF0018\" ) or later\n\n * **For TNPM Wireline 1.4.4**\n\nApply TNPM Wireline DataView interim fix [IF0007 ](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FNetcool+Performance+Manager&fixids=1.4.4.0-TIV-TNPM-IF0007&source=SAR> \"IF0007\" )or later \n\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2020-03-13T05:55:47", "type": "ibm", "title": "Security Bulletin: IBM TNPM Wireline is vulnerable to Apache Commons Beanutils (CVE-2019-10086)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2020-03-13T05:55:47", "id": "A07C9B7C7D5952E2BBD4C0874BEC859D77892E662D993098C91BDFD5CD4FF6ED", "href": "https://www.ibm.com/support/pages/node/5737173", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-24T05:46:38", "description": "## Summary\n\nWebSphere Application Server is shipped with IBM Tivoli Federated Identity Manager. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nRefer to the security bulletins(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s) | Version(s) \n---|--- \nIBM Tivoli Federated Identity Manager | All \n \n## Remediation/Fixes\n\nPrincipal Product and Version(s) | Affected Supporting Product and Version | Affected Supporting Product Security Bulletin \n---|---|--- \nIBM Tivoli Federated Identity Manager 6.2.X | IBM Websphere Server V 7.X | [WebSphere Application Server is vulnerable to Apache Commons Beanutils (CVE-2019-10086)](<https://www.ibm.com/support/pages/node/1115085> \"WebSphere Application Server is vulnerable to Apache Commons Beanutils \$CVE-2019-10086\$\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2020-01-28T18:55:36", "type": "ibm", "title": "Security Bulletin: A Security Vulnerability Has Been Identified In WebSphere Application Server shipped with IBM Tivoli Federated Identity Manager (CVE-2019-10086)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2020-01-28T18:55:36", "id": "A1EF9298714E6ED876FC447E879AE4AEF24B3BAE418A5BF1CCD587D6F1B0DF70", "href": "https://www.ibm.com/support/pages/node/1284376", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-24T01:39:10", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of Business Monitor. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletins(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nPrincipal product and version| Affected product and version \n---|--- \nBusiness Monitor V8.5.7| WebSphere Application Server V8.5.5 \nBusiness Monitor V8.5.6| WebSphere Application Server V8.5.5 \nBusiness Monitor V8.5.5| WebSphere Application Server V8.5.5 \n \n\n\n## Remediation/Fixes\n\nPlease consult the security bulletin \n[WebSphere Application Server is vulnerable to Apache Commons Beanutils (CVE-2019-10086)](<https://www.ibm.com/support/pages/node/884036>) \nfor vulnerability details and information about fixes.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2019-12-20T08:47:33", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Business Monitor (CVE-2019-10086)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2019-12-20T08:47:33", "id": "9568E59FBC9F48E0CA633A74AB406265AC01F813ACFBBF2AC3F70CCAF62213C1", "href": "https://www.ibm.com/support/pages/node/1126671", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-23T21:43:16", "description": "## Summary\n\nThere is vulnerability in Apache Commons BeanUtils used by IBM Spectrum LSF Suite and Spectrum LSF Application Center. \n\n## Vulnerability Details\n\nCVEID: [CVE-2019-10086](<https://vulners.com/cve/CVE-2019-10086>) \nDESCRIPTION: Apache Commons Beanutils could allow a remote attacker to gain unauthorized access to the system, caused by the failure to suppresses the class property in bean introspection by default. An attacker could exploit this vulnerability to gain unauthorized access to the classloader. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/166353> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nSpectrum LSF Suite 10.2, Spectrum LSF Application Center 10.2\n\n## Remediation/Fixes\n\nProduct | VRMF | APAR | Remediation/First Fix \n---|---|---|--- \n \nSpectrum LSF Suite\n\nSpectrum LSF Application Center\n\n| 10.2 | None | \n\n1\\. Download Apache Commons BeanUtils v1.9.4 from: <http://commons.apache.org/proper/commons-beanutils/download_beanutils.cgi>. (The following steps use x86_64 as an example.) \n2\\. Copy the package into the Application Center host. \n3\\. On the Application Center host, stop pmc and plc services. \n4\\. On the Application Center host, extract new files and replace old files with commons-beanutils-1.9.4.jar in the following directories:\n\n$PERF_TOP/1.2/lib/commons-beanutils.jar\n\n$GUI_TOP/3.0/wlp/usr/servers/platform/apps/platform.war/WEB-INF/lib/commons-beanutils-1.9.2.jar\n\n5\\. Delete all files under $GUI_TOP/work/platform/workarea. \n6\\. On the Application Center host, start plc and pmc services on demand. \n \n## Workarounds and Mitigations\n\nN/A\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2019-09-27T05:05:02", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Commons BeanUtils affect IBM Spectrum LSF Suite and Spectrum LSF Application Center", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2019-09-27T05:05:02", "id": "92627E627D103D4038024BCFD810986107E14AF89DB4426C430D1DE63EBADE27", "href": "https://www.ibm.com/support/pages/node/1073222", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-27T21:49:51", "description": "## Summary\n\nIBM WebSphere Application Server is shipped with or required for IBM Tivoli Network Manager version 3.9, 4.1.1 and 4.2. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nITNM| 3.9 \nITNM| 4.1.1.x \nITNM| 4.2 \n \n \n\n\n## Remediation/Fixes\n\nAffected Product(s)| Version(s)| Remediation \n---|---|--- \nITNM| 3.9| \n\n[WebSphere Application Server is vulnerable to Apache Commons Beanutils](<https://www.ibm.com/support/pages/node/1115085> \"WebSphere Application Server is vulnerable to Apache Commons Beanutils\" )\n\nSee Section For V7.0.0.0 through 7.0.0.45: \n \nITNM| 4.1.1.x| \n\n[WebSphere Application Server is vulnerable to Apache Commons Beanutils](<https://www.ibm.com/support/pages/node/1115085> \"WebSphere Application Server is vulnerable to Apache Commons Beanutils\" )\n\nSee Section For V7.0.0.0 through 7.0.0.45: \n \nITNM| 4.2| \n\n[WebSphere Application Server is vulnerable to Apache Commons Beanutils](<https://www.ibm.com/support/pages/node/1115085> \"WebSphere Application Server is vulnerable to Apache Commons Beanutils\" )\n\nSee Section For V8.5.0.0 through 8.5.5.16: \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2020-10-14T22:29:28", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in embedded IBM WebSphere Application Server, which is shipped with or required for IBM Tivoli Network Manager (CVE-2019-10086)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2019-10086"], "modified": "2020-10-14T22:29:28", "id": "661EF6C7BBF8AD251228707DD8EDA4B08D9235BFBAA6C9BCAC49A5F4CECDE3DD", "href": "https://www.ibm.com/support/pages/node/6348228", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-02-23T21:40:25", "description": "## Summary\n\nFinancial Transaction Manager for ACH Services (FTM ACH) for Multi-Platform has addressed the following vulnerability. A potential vulnerability in the Apache Commons Beanutils module could allow unauthorized access to the classloader.\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2019-10086](<https://vulners.com/cve/CVE-2019-10086>) \n**DESCRIPTION:** Apache Commons Beanutils could allow a remote attacker to gain unauthorized access to the system, caused by the failure to suppresses the class property in bean introspection by default. An attacker could exploit this vulnerability to gain unauthorized access to the classloader. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/166353> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n## Affected Products and Versions\n\nFTM ACH v3.0.6.0 - 3.0.6.10, v3.1.0.0 - 3.1.0.3\n\n## Remediation/Fixes\n\n_Product_\n\n| \n\n_VRMF_\n\n| \n\n_APAR_\n\n| \n\n_Remediation/First Fix_ \n \n---|---|---|--- \nFTM ACH | 3.0.6.0 - 3.0.6.10 | PH16868 | [3.0.6-FTM-ACH-MP-fp0011](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FFinancial+Transaction+Manager&fixids=3.0.6-FTM-ACH-MP-fp0011&source=SAR>) \nFTM ACH | 3.1.0.0 - 3.1.0.3 | PH16868 | [3.1.0.3-FTM-ACH-MP-iFix0015](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Financial%2BOperations&product=ibm/Other+software/Financial+Transaction+Manager&release=All&platform=All&function=fixId&fixids=3.1.0.3-FTM-ACH-MP-iFix0015&includeSupersedes=0&source=fc>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2020-03-25T18:27:10", "type": "ibm", "title": "Security Bulletin: Financial Transaction Manager for ACH Services is affected by a potential validation vulnerability (CVE-2019-10086)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2020-03-25T18:27:10", "id": "CB6124223B6F8216BA9E92EAD6DAFC187E51AC4BEC28594EAEF38B28FCD5792F", "href": "https://www.ibm.com/support/pages/node/1073866", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-23T21:40:10", "description": "## Summary\n\nIBM Financial Transaction Manager for Corporate Payment Services (FTM CPS) for Multi-Platform has addressed the following vulnerability. A potential vulnerability in the Apache Commons Beanutils module could allow unauthorized access to the classloader.\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2019-10086](<https://vulners.com/cve/CVE-2019-10086>) \n**DESCRIPTION:** Apache Commons Beanutils could allow a remote attacker to gain unauthorized access to the system, caused by the failure to suppresses the class property in bean introspection by default. An attacker could exploit this vulnerability to gain unauthorized access to the classloader. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/166353> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n## Affected Products and Versions\n\nFTM CPS v2.1.1.0 - 2.1.1.4\n\n## Remediation/Fixes\n\n_Product_\n\n| \n\n_VRMF_\n\n| \n\n_APAR_\n\n| \n\n_Remediation/First Fix_ \n \n---|---|---|--- \n \nFTM CPS\n\n| \n\n2.1.1.0 - 2.1.1.4\n\n| \n\nPH16878\n\n| \n\n[2.1.1-FTM-CPS-MP-FP0005](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=Financial%2BOperations&product=ibm/Other+software/Financial+Transaction+Manager&release=All&platform=All&function=fixId&fixids=2.1.1-FTM-CPS-MP-fp0005&includeSupersedes=0&source=fc>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2020-07-06T13:05:30", "type": "ibm", "title": "Security Bulletin: Financial Transaction Manager for Corporate Payment Services v2.1.1 is affected by a validation vulnerability (CVE-2019-10086)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2020-07-06T13:05:30", "id": "7C687A5C4DA5F147CCB651C24229AA31D311EBB13BB2DF3508D7A6085EF3DD7D", "href": "https://www.ibm.com/support/pages/node/1073874", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-24T01:40:11", "description": "## Summary\n\nWebsphere Application Server is shipped with Predictive Customer Intelligence. Information about a security vulnerability affecting Websphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nPlease consult the security bulletin [Security Bulletin:](<https://www.ibm.com/support/pages/node/1115085>)[ WebSphere Application Server is vulnerable to Apache Commons Beanutils (CVE-2019-10086)](<https://www.ibm.com/support/pages/node/1115085>)\n\n## Affected Products and Versions\n\nPredictive Customer Intelligence versions 1.0, 1.0.1, 1.1, 1.1.1, 1.1.2\n\n## Remediation/Fixes\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version | Affected Supporting Product Security Bulletin \n---|---|--- \nPredictive Customer Intelligence 1.0 and 1.0.1 | Websphere Application Server 8.5.5 | [Security Bulletin:](<https://www.ibm.com/support/pages/node/1115085>)[ WebSphere Application Server is vulnerable to Apache Commons Beanutils (CVE-2019-10086)](<https://www.ibm.com/support/pages/node/1115085>) \nPredictive Customer Intelligence 1.1 and 1.1.1 | Websphere Application Server 8.5.5.6 | [Security Bulletin:](<https://www.ibm.com/support/pages/node/1115085>)[ WebSphere Application Server is vulnerable to Apache Commons Beanutils (CVE-2019-10086)](<https://www.ibm.com/support/pages/node/1115085>) \nPredictive Customer Intelligence 1.1.2 | Websphere Application Server 9.0.0.4 | [Security Bulletin:](<https://www.ibm.com/support/pages/node/1115085>)[ WebSphere Application Server is vulnerable to Apache Commons Beanutils (CVE-2019-10086)](<https://www.ibm.com/support/pages/node/1115085>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2019-12-04T05:05:02", "type": "ibm", "title": "Security Bulletin: A Security Vulnerability has been Identified in Websphere Application Server Shipped with Predictive Customer Intelligence (CVE-2019-10086)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2019-12-04T05:05:02", "id": "FE6A60EA653FEE6F655EBB8429BCB70E7D54726EC0055ECB440856BF66B419CA", "href": "https://www.ibm.com/support/pages/node/1118529", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-23T21:40:15", "description": "## Summary\n\nFinancial Transaction Manager for Digital Payments (FTM DP) for Multi-Platform has addressed the following vulnerability. A potential vulnerability in the Apache Commons Beanutils module could allow unauthorized access to the classloader.\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2019-10086](<https://vulners.com/cve/CVE-2019-10086>) \n**DESCRIPTION:** Apache Commons Beanutils could allow a remote attacker to gain unauthorized access to the system, caused by the failure to suppresses the class property in bean introspection by default. An attacker could exploit this vulnerability to gain unauthorized access to the classloader. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/166353> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n## Affected Products and Versions\n\nFTM DP v3.2.2.0 - v3.2.2.1\n\n## Remediation/Fixes\n\n_Product_\n\n| \n\n_VRMF_\n\n| \n\n_APAR_\n\n| \n\n_Remediation/First Fix_ \n \n---|---|---|--- \nFTM DP | 3.2.2.0 - 3.2.2.1 | PH16867 | [3.2.2.1-FTM-DP-MP-iFix0002](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Financial%2BOperations&product=ibm/Other+software/Financial+Transaction+Manager&release=All&platform=All&function=fixId&fixids=3.2.2.1-FTM-DP-MP-iFix0002&includeSupersedes=0&source=fc>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2020-05-04T19:05:04", "type": "ibm", "title": "Security Bulletin: Financial Transaction Manager for Digital Payments is affected by a potential validation vulnerability (CVE-2019-10086)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2020-05-04T19:05:04", "id": "7AABFFD7EDE8A56FF3E63014903A8533BF0F07389F0D81F452A4D9AFF5CEB90B", "href": "https://www.ibm.com/support/pages/node/1073862", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-09-01T17:55:02", "description": "## Abstract\n\nThis Fix Readme includes instructions to upgrading the Apache Commons Beanutils jar to v1.9.4 for Atlas eDiscovery Process Management(6.0.1.x and 6.0.2.x versions)\n\n## Content\n\n**PSIRT details**: PRID: PVR0203016, Advisory ADV0020809 - Apache Commons Beanutils Vulnerability \nCVEID: CVE-2019-10086 \nCVSS Base Score: 5.3\n\n \n**Description**: Apache Commons Beanutils may allow a remote attacker to gain unauthorized access to the system, due to a failure to suppress the class property in bean introspection by default. An attacker could exploit this vulnerability to gain unauthorized access to the classloader.\n\nFor more details on the security fix, please refer to the below link:\n\n<https://www.ibm.com/support/pages/node/5693133>\n\n \n**Fix**: \nThis fix is applicable for IBM Policy Atlas Suite version 6.0.1.x and 6.0.2.x \nThe commons-beanutils.jar must be upgraded from v1.9.2 to v1.9.4 in Policy Atlas and Atlas Extensions applications. For this ear files must be expanded before replacing the jar file and then compressed and deployed. \n\n \nTo apply the fix for Policy Atlas application, follow the steps mentioned below:\n\n 1. Backup the ear PolicyAtlas.ear.\n 2. Extract the ear file to PolicyAtlas folder.\n 3. Extract PolicyAtlas\\web.war to web folder.\n 4. Navigate to the PolicyAtlas\\web\\WEB-INF\\lib folder. \n 5. Replace the commons-beanutils.jar file with the one provided at the end of this document. \n 6. Compress the contents of the PolicyAtlas\\web folder and name it as web.war.\n 7. Compress the META-INF and web.war files.\n 8. Rename the zip file as PolicyAtlas.ear.\n 9. Deploy the Ear file.\n\n \nTo apply the fix for Atlas Extensions application, follow the steps mentioned below:\n\n 1. Backup the AtlasExtensions.ear file.\n 2. Extract the ear file to AtlasExtension folder.\n 3. Extract AtlasExtensions\\AtlasExtensions.war to AtlasExtensions folder.\n 4. Navigate to the AtlasExtensions\\AtlasExtensions\\WEB-INF\\lib folder.\n 5. Replace the commons-beanutils.jar file with the one provided at the end of this document. \n 6. Compress the contents of the AtlasExtensions\\AtlasExtensions folder and name it as AtlasExtensions.war.\n 7. Compress the META-INF and AtlasExtensions.war files.\n 8. Rename the zip file as AtlasExtensions.ear.\n 9. Deploy the Ear file.\n\n**Attachment: **Use this Apache Commons Beanutils jar\n\ncommons-beanutils.jar\n\n[{\"Line of Business\":{\"code\":\"\",\"label\":\"\"},\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud & Data Platform\"},\"Product\":{\"code\":\"SSXPJK\",\"label\":\"Atlas Policy Suite\"},\"ARM Category\":[],\"Platform\":[{\"code\":\"PF025\",\"label\":\"Platform Independent\"}],\"Version\":\"All Version(s)\"}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2020-09-28T07:57:33", "type": "ibm", "title": "Security Bulletin: Atlas eDiscovery Process Management(6.0.1.x and 6.0.2.x versions) is affected by a vulnerable Apache Commons Beanutils in WebSphere Application Server", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2020-09-28T07:57:33", "id": "A0C17B7FA23DBF1DC4FACFA7A00FFB9DEE0554664F67073C8C966AAD62F6C865", "href": "https://www.ibm.com/support/pages/node/6337453", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-24T05:44:23", "description": "## Summary\n\nWebSphere Application Server is shipped with IBM Tivoli System Automation Application Manager. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletins(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Tivoli System Automation Application Manager| 4.1 \n \n\n\n## Remediation/Fixes\n\nRefer to the following security bulletins for vulnerability details and information about fixes addressed by WebSphere Application Server which is shipped with IBM Tivoli System Automation Application Manager. \n\nPrincipal Product and Version(s)| Affected Supporting Product and Version| Affected Supporting Product Security Bulletin \n---|---|--- \nIBM Tivoli System Automation Application Manager 4.1| WebSphere Application Server 8.5| \n\n# [Security Bulletin: WebSphere Application Server is vulnerable to Apache Commons Beanutils (CVE-2019-10086)\u200b\u200b\u200b\u200b\u200b\u200b\u200b](<https://www.ibm.com/support/pages/node/1115085> \"Security Bulletin: WebSphere Application Server is vulnerable to Apache Commons Beanutils \$CVE-2019-10086\$\u200b\u200b\u200b\u200b\u200b\u200b\u200b\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2020-02-25T08:59:00", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2019-10086)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2020-02-25T08:59:00", "id": "4F83742D4D9E3F03A6481F27A21969D4333962D309ACFDC2D174BF09D63F0F8A", "href": "https://www.ibm.com/support/pages/node/3407751", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-24T01:40:26", "description": "## Summary\n\nIBM Content Navigator has addressed the following vulnerability.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-10086](<https://vulners.com/cve/CVE-2019-10086>) \n** DESCRIPTION: **In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/166353](<https://exchange.xforce.ibmcloud.com/vulnerabilities/166353>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Content Navigator| 3.0CD \n \n## Remediation/Fixes\n\nProduct| VMRF| Remediation / First Fix \n---|---|--- \nIBM Content Navigator| 3.0 Continuous Delivery| 3.0.5. IF7 and above, 3.0.6 IF 3 and above \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2019-10-30T18:13:21", "type": "ibm", "title": "Security Bulletin: IBM Content Navigator is affected by a vulnerability in Apache Commons Beanutils (CVE-2019-10086)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2019-10-30T18:13:21", "id": "9BBB794BF1DCF8660F8460268754D1A7E827EF26EEF07D631316C9EF5FC3CBDD", "href": "https://www.ibm.com/support/pages/node/1101321", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-24T01:39:20", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of Maximo Asset Management, Maximo Asset Management Essentials, Maximo Industry Solutions (including Maximo for Energy Optimization, Maximo for Government, Maximo for Nuclear Power, Maximo for Transportation, Maximo for Life Sciences, Maximo for Oil and Gas, and Maximo for Utilities), Maximo Adapter for Primavera, SmartCloud Control Desk, Tivoli Asset Management for IT, Tivoli Service Request Manager, Change and Configuration Management Database, and TRIRIGA Energy Optimization. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletins(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s) | Version(s) \n---|--- \nIBM Maximo Asset Management | 7.6.1.0 \nIBM Maximo Asset Management | 7.6.0.10 \nIBM Maximo Asset Management | 7.6.1.1 \n \n## Remediation/Fixes\n\n# [Security Bulletin: WebSphere Application Server is vulnerable to Apache Commons Beanutils (CVE-2019-10086)](<https://www.ibm.com/support/pages/node/1115085> \"Security Bulletin: WebSphere Application Server is vulnerable to Apache Commons Beanutils \$CVE-2019-10086\$\" )\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2019-12-20T08:47:33", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with Asset and Service Management (CVE-2019-10086)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2019-12-20T08:47:33", "id": "D10B18EC28A032EFEE6049343ECB3633CC65AE8BDF915EC68181989AB9170F54", "href": "https://www.ibm.com/support/pages/node/1135486", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-27T17:47:04", "description": "## Summary\n\nIBM WebSphere Application Server is shipped with IBM Tivoli Netcool Configuration Manager version 6.4.1; IBM WebSphere Application Server is a required product for IBM Tivoli Netcool Configuration Manager version 6.4.2. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletins(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nITNCM| 6.4.2 \nITNCM| 6.4.1 \n \n\n\n## Remediation/Fixes\n\nAffected Product(s)| Version(s)| Remediation \n---|---|--- \nITNCM| 6.4.2| [WebSphere Application Server is vulnerable to Apache Commons Beanutils](<https://www.ibm.com/support/pages/security-bulletin-websphere-application-server-vulnerable-apache-commons-beanutils-cve-2019-10086-0> \"WebSphere Application Server is vulnerable to Apache Commons Beanutils\" )\n\nPlease refer to section: **For V8.5.0.0 through 8.5.5.16:** \n \nITNCM| 6.4.1| \n\n[WebSphere Application Server is vulnerable to Apache Commons Beanutils](<https://www.ibm.com/support/pages/security-bulletin-websphere-application-server-vulnerable-apache-commons-beanutils-cve-2019-10086-0> \"WebSphere Application Server is vulnerable to Apache Commons Beanutils\" )\n\nPlease refer to section: **For V7.0.0.0 through 7.0.0.45:** \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2020-03-24T12:15:52", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server, which is shipped with, or a required product for, IBM Tivoli Netcool Configuration Manager (CVE-2019-10086)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2020-03-24T12:15:52", "id": "03BD9C6A634D56977256D0EB02550574DC21A677D8E08EEB57FD8C5F206D469F", "href": "https://www.ibm.com/support/pages/node/6116548", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-24T01:39:21", "description": "## Summary\n\nThere is a vulnerability in Apache Commons Beanutils that is used by WebSphere Application Server. This has been addressed. \n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-10086](<https://vulners.com/cve/CVE-2019-10086>) \n** DESCRIPTION: **In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/166353](<https://exchange.xforce.ibmcloud.com/vulnerabilities/166353>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nWebSphere Application Server| 9.0 \nWebSphere Application Server| 8.0 \nWebSphere Application Server| 8.5 \nWebSphere Application Server| 7.0 \n \n\n\n## Remediation/Fixes\n\n**For WebSphere Application Server traditional and WebSphere Application Server Hypervisor Edition:**\n\n**For V9.0.0.0 through 9.0.5.1:** \n\u00b7 Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [PH17557](<https://www.ibm.com/support/pages/node/1110453> \"PH17557\" ) \n\\--OR-- \n\u00b7 Apply Fix Pack 9.0.5.2 or later (targeted availability 4Q2019).\n\n**For V8.5.0.0 through 8.5.5.16:** \n\u00b7 Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [PH17557](<https://www.ibm.com/support/pages/node/1110453> \"PH17557\" ) \n\\--OR-- \n\u00b7 Apply Fix Pack 8.5.5.17 or later (targeted availability 1Q2020).\n\n**For V8.0.0.0 through 8.0.0.15:** \n\u00b7 Upgrade to 8.0.0.15 and then apply Interim Fix [PH17557](<https://www.ibm.com/support/pages/node/1110453> \"PH17557\" ) \n\n\n**For V7.0.0.0 through 7.0.0.45:** \n\u00b7 Upgrade to 7.0.0.45 and then apply Interim Fix [PH17557](<https://www.ibm.com/support/pages/node/1110453> \"PH17557\" ) \n\n\n_WebSphere Application Server V7.0 and V8.0 are no longer in full support; IBM recommends upgrading to a fixed, supported version/release/platform of the product. _\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2019-12-20T08:47:33", "type": "ibm", "title": "Security Bulletin: WebSphere Application Server is vulnerable to Apache Commons Beanutils (CVE-2019-10086)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2019-12-20T08:47:33", "id": "CFD032C6816AA09BC4BFE927259D2C7496159BC447A779769DEB0DECC4952A56", "href": "https://www.ibm.com/support/pages/node/1115085", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-04T17:45:46", "description": "## Summary\n\nWebSphere Application Server is shipped as a component of IBM Business Automation Workflow, IBM Business Process Manager, and WebSphere Enterprise Service Bus. Information about a security vulnerability affecting IBM WebSphere Application Server Traditional have been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletins(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Business Automation Workflow| V19.0 \nV18.0 \nIBM Business Process Manager| 8.6 \n8.5 \n8.0 \nWebSphere Enterprise Service Bus| 7.5 \n7.0 \n \n## Remediation/Fixes\n\nPlease consult the security bulletin: [WebSphere Application Server is vulnerable to Apache Commons Beanutils (CVE-2019-10086)](<https://www.ibm.com/support/pages/node/1115085> \"WebSphere Application Server is vulnerable to Apache Commons Beanutils \$CVE-2019-10086\$\" ) for vulnerability details and information about fixes.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2022-09-14T15:02:20", "type": "ibm", "title": "Security Bulletin: A vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Digital Business Automation Workflow family products (CVE-2019-10086)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2022-09-14T15:02:20", "id": "217BB6C17A6FD504F278CE0259F71540873D9ACBEC02EC2F580CED3F0A79FB4A", "href": "https://www.ibm.com/support/pages/node/1120077", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-04T17:54:08", "description": "## Summary\n\nIBM Sterling Order Management use Apache Commons BeanUtils and are affected by some of the vulnerabilities that exist in this component. \n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-10086](<https://vulners.com/cve/CVE-2019-10086>) \n** DESCRIPTION: **Apache Commons Beanutils could allow a remote attacker to gain unauthorized access to the system, caused by the failure to suppresses the class property in bean introspection by default. An attacker could exploit this vulnerability to gain unauthorized access to the classloader. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/166353](<https://exchange.xforce.ibmcloud.com/vulnerabilities/166353>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Sterling Order Management| 10.0 \nIBM Sterling Order Management| 9.5 \nIBM Sterling Order Management| 9.4 \n \n\n\n## Remediation/Fixes\n\nThe recommended solution is to apply the security fix pack (SFP) as soon as practical. Please see below for information about the available fixes. \n\n**_Product_**\n\n| \n\n**_Security Fix Pack*_**\n\n| \n\n**_How to acquire fix_** \n \n---|---|--- \n \nIBM Sterling Order Management 9.4.0\n\n| \n\n_9.4.0-SFP6_\n\n| \n\n[_https://www.ibm.com/search?lang=en&cc=us&facetTabs=fixes&origin=fc&q=9.4.0.0%20Sterling%20SSFF%20Security&tabType[0]=support_](<https://www.ibm.com/search?lang=en&cc=us&facetTabs=fixes&origin=fc&q=9.4.0.0%20Sterling%20SSFF%20Security&tabType\\[0\\]=support> \"https://www.ibm.com/search?lang=en&cc=us&facetTabs=fixes&origin=fc&q=9.4.0.0%20Sterling%20SSFF%20Security&tabType\\[0\\]=support\" )\n\n_ _\n\n_Select appropriate VRMF_ \n \nIBM Sterling Order Management 9.5.0\n\n| \n\n_9.5.0-SFP5_\n\n| [https://www.ibm.com/search?lang=en&cc=us&facetTabs=fixes&origin=fc&q=9.5.0.0%20Sterling%20SSFF%20Security&tabType[0]=support](<https://www.ibm.com/search?lang=en&cc=us&facetTabs=fixes&origin=fc&q=9.5.0.0%20Sterling%20SSFF%20Security&tabType\\[0\\]=support> \"https://www.ibm.com/search?lang=en&cc=us&facetTabs=fixes&origin=fc&q=9.5.0.0%20Sterling%20SSFF%20Security&tabType\\[0\\]=support\" ) \n\n\n_ _\n\n_Select appropriate VRMF_ \n \nIBM Sterling Order Management 10.0\n\n| \n\n_10.0-SFP2_\n\n| \n\n[_https://www.ibm.com/search?lang=en&cc=us&facetTabs=fixes&origin=fc&q=Foundation10%20Security&tabType[0]=support_](<https://www.ibm.com/search?lang=en&cc=us&facetTabs=fixes&origin=fc&q=Foundation10%20Security&tabType\\[0\\]=support> \"https://www.ibm.com/search?lang=en&cc=us&facetTabs=fixes&origin=fc&q=Foundation10%20Security&tabType\\[0\\]=support\" )\n\n_ _\n\n_Select appropriate VRMF_ \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2021-11-01T14:26:20", "type": "ibm", "title": "Security Bulletin: IBM Sterling Order Management is affected by Apache Commons BeanUtils security vulnerabilities (CVE-2019-10086)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2021-11-01T14:26:20", "id": "1EB9F8573A9E928E14652E6C4EA6633663E35B33C744263304C0A5C14EC87569", "href": "https://www.ibm.com/support/pages/node/6349695", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-27T21:51:26", "description": "## Summary\n\nWebsphere Application Server (Liberty profile) is shipped as a component of IBM Operations Analytics Predictive Insights. Information about a security vulnerability affecting Liberty profile has been disclosed in a security bulletin. \n\n## Vulnerability Details\n\n** CVEID: **[CVE-2020-4329](<https://vulners.com/cve/CVE-2020-4329>) \n** DESCRIPTION: **IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0 and Liberty 17.0.0.3 through 20.0.0.4 could allow a remote, authenticated attacker to obtain sensitive information, caused by improper parameter checking. This could be exploited to conduct spoofing attacks. IBM X-Force ID: 177841. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/177841](<https://exchange.xforce.ibmcloud.com/vulnerabilities/177841>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Operations Analytics Predictive Insights| All \n \n\n\n## Remediation/Fixes\n\nApply 1.3.6 Interim Fix 3 \n\n[https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Tivoli/IBM+SmartCloud+Analytics+-+Predictive+Insights&release=1.3.6](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Tivoli/IBM+SmartCloud+Analytics+-+Predictive+Insights&release=1.3.6> \"https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Tivoli/IBM+SmartCloud+Analytics+-+Predictive+Insights&release=1.3.6\" )\n\nNote that for versions prior to 1.3.6 ONLY the UI component should be updated using interim Fix 3. Nothing else in the interim fix is relevant for this bulletin.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2020-08-31T14:56:31", "type": "ibm", "title": "Security Bulletin: A vulnerability in IBM WebSphere Application Server(Liberty profile) affects IBM Operations Analytics Predictive Insights (CVE-2020-4329)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-4329"], "modified": "2020-08-31T14:56:31", "id": "E01AE27864F5D21E9DE4882755AFD601FD4EE9EEF1B77AD913AFA5BAC1F8BF77", "href": "https://www.ibm.com/support/pages/node/6324721", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2023-02-27T21:55:09", "description": "## Summary\n\nWebsphere Application Server (WAS) is shipped as a component of Tivoli Netcool/OMNIbus WebGUI. Information about a security vulnerability affecting WAS has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**| **Affected Supporting Product and Version** \n---|--- \nWebGUI 8.1.0 GA and FP| Websphere Application Server 8.5 \n \n\n\n## Remediation/Fixes\n\nPlease consult the security bulletin [Information disclosure in WebSphere Application Server (CVE-2020-4329)](<https://www.ibm.com/support/pages/node/6201862> \"Information disclosure in WebSphere Application Server \$CVE-2020-4329\$\" ) for vulnerability details and information about fixes.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2020-06-05T07:58:34", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with Tivoli Netcool/OMNIbus WebGUI (CVE-2020-4329)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-4329"], "modified": "2020-06-05T07:58:34", "id": "E362EBCBEB18984C3F95A2E9B16F0D6BCB101E27F50F764417CF1574FE5064FC", "href": "https://www.ibm.com/support/pages/node/6220422", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2023-02-27T21:51:35", "description": "## Summary\n\nWebsphere Application Server (WAS) is shipped as a component of IBM Operations Analytics Predictive Insights. Information about a security vulnerability affecting WAS has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\n**Principal Products and Version(s)**| **Affected Supporting Product and Version** \n---|--- \nIBM Operations Analytics Predictive Insights v1.3.3| Websphere Application Server 8.5 \nIBM Operations Analytics Predictive Insights v1.3.5| Websphere Application Server 8.5 \nIBM Operations Analytics Predictive Insights v1.3.6| Websphere Application Server 8.5 \n \n\n\n## Remediation/Fixes\n\nMore information and recommended solutions are disclosed with the security bulletin: [Information disclosure in WebSphere Application Server (CVE-2020-4329)](<https://www.ibm.com/support/pages/security-bulletin-information-disclosure-websphere-application-server-cve-2020-4329> \"Information disclosure in WebSphere Application Server \$CVE-2020-4329\$\" )\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2020-08-28T18:26:51", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Operations Analytics Predictive Insights (CVE-2020-4329)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-4329"], "modified": "2020-08-28T18:26:51", "id": "99126F9F2548EE2300C741A1541AAF9CD2E67330BBEEA99D1CCE5C23EA09B155", "href": "https://www.ibm.com/support/pages/node/6324269", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2023-02-27T21:52:40", "description": "## Summary\n\nWebSphere Application Server is shipped as a component of IBM Cloud Pak for Applications. Information about security vulnerabilities affecting WebSphere Application Server have been published in a security bulletin. \n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**\n\n| \n\n**Affected Supporting Product and Version** \n \n---|--- \nIBM Cloud Pak for Applications, all versions | WebSphere Application Server: \n\n * 9.0\n * 8.5\n * 8.0\n * 7.0\n\nWebSphere Liberty Server:\n\n * 17.0.0.3 - 20.0.0.4 \n \n## Remediation/Fixes\n\nPlease consult the following security bulletin for vulnerability details and information about fixes \n\n * [Information disclosure in WebSphere Application Server (CVE-2020-4329)](<https://www.ibm.com/support/pages/node/6201862> \"Information disclosure in WebSphere Application Server \$CVE-2020-4329\$\" )\n\n * ## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2020-07-27T15:07:33", "type": "ibm", "title": "Security Bulletin: Information disclosure vulnerability in WebSphere Application Server shipped in IBM Cloud Pak for Applications (CVE-2020-4329)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-4329"], "modified": "2020-07-27T15:07:33", "id": "B2B33DC1DCAEC07D9F9164E0AD1390F5BFB58C4EE2BDF74B976625E39A9F5AF0", "href": "https://www.ibm.com/support/pages/node/6253273", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2023-02-27T21:52:05", "description": "## Summary\n\nIBM WebSphere Application Server is shipped with IBM Tivoli Network Manager IP Edition versions 4.1.1 and 3.9; IBM WebSphere Application Server is a required product for IBM Tivoli Network Manager IP Edition version 4.2. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nITNM| 4.2.0 \nITNM| 4.1.1 \nITNM| 3.9 \n \n\n\n## Remediation/Fixes\n\nAffected Product(s)| Version(s)| Remediation \n---|---|--- \nITNM| 4.2.0| \n\n[Information disclosure in WebSphere Application Server](<https://www.ibm.com/support/pages/node/6201862> \"Information disclosure in WebSphere Application Server\" )\n\nSee section: **For V8.5.0.0 through 8.5.5.17:** \n \nITNM| 4.1.1| \n\n[Information disclosure in WebSphere Application Server](<https://www.ibm.com/support/pages/node/6201862> \"Information disclosure in WebSphere Application Server\" )\n\nSee section: **For V7.0.0.0 through 7.0.0.45:** \n \nITNM| 3.9| \n\n[Information disclosure in WebSphere Application Server](<https://www.ibm.com/support/pages/node/6201862> \"Information disclosure in WebSphere Application Server\" )\n\nSee section: **For V7.0.0.0 through 7.0.0.45:** \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2020-08-13T10:27:30", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server, which is shipped with, or a required product for, IBM Tivoli Network Manager IP Edition (CVE-2020-4329)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2020-4329"], "modified": "2020-08-13T10:27:30", "id": "47377382FB42339D4CE97A4452C254F07E69CAE5413DDD356B24FAAA26841F46", "href": "https://www.ibm.com/support/pages/node/6259381", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-02-27T21:52:05", "description": "## Summary\n\nIBM WebSphere Application Server is shipped with IBM Tivoli Netcool Configuration Manager version 6.4.1; IBM WebSphere Application Server is a required product for IBM Tivoli Netcool Configuration Manager version 6.4.2. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nITNCM| 6.4.2 \nITNCM| 6.4.1 \n \n\n\n## Remediation/Fixes\n\nAffected Product(s)| Version(s)| Remediation \n---|---|--- \nITNCM| 6.4.2| [Information disclosure in WebSphere Application Server](<https://www.ibm.com/support/pages/node/6201862> \"Information disclosure in WebSphere Application Server\" )\n\nSee Section: **V8.5.0.0 through 8.5.5.17:** \n \nITNCM| 6.4.1| \n\n[Information disclosure in WebSphere Application Server](<https://www.ibm.com/support/pages/node/6201862> \"Information disclosure in WebSphere Application Server\" )\n\nSee Section: **V7.0.0.0 through 7.0.0.45:** \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2020-08-13T10:29:06", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server, which is shipped with, or a required product for, IBM Tivoli Netcool Configuration Manager (CVE-2020-4329)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2020-4329"], "modified": "2020-08-13T10:29:06", "id": "C6780300E3EFD7F6811EECD650C04D87FD052560A5F1FA302479AFF8AA4F7FDC", "href": "https://www.ibm.com/support/pages/node/6259383", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-02-27T21:47:13", "description": "## Summary\n\nIn the WebSphere Application Server (WAS) admin console where the Rational Asset Manager (RAM) is deployed, allowing a remote attacker obtaining sensitive information caused by improper parameter checking is observed. Information about this security vulnerability affecting WebSphere Application Server is published in the respective security bulletin. \n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nIBM Rational Asset Manager 7.5 .1, 7.5.2.x, 7.5.3.x, and 7.5.4.\n\n**NOTE:** Rational Asset Manager 7.5.2 and later versions does not support embedded WebSphere Application Server.\n\n \n\n\n## Remediation/Fixes\n\nRefer to the following security bulletin for vulnerability details and information about fixes addressed by IBM WebSphere Application Server (WAS). \n\n** Affected Supporting Product**| ** Affected Supporting Product Security Bulletin** \n---|--- \nIBM WebSphere Application Server Version 7.0, 8.0, 8.5, and 9.0.| [Security Bulletin: Information disclosure in WebSphere Application Server (CVE-2020-4329)](<https://www.ibm.com/support/pages/security-bulletin-information-disclosure-websphere-application-server-cve-2020-4329> \"Security Bulletin: Information disclosure in WebSphere Application Server \$CVE-2020-4329\$\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2021-01-28T06:57:46", "type": "ibm", "title": "Security Bulletin: Security vulnerability are identified in WebSphere Application Server where Rational Asset Manager is deployed (CVE-2020-4329)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-4329"], "modified": "2021-01-28T06:57:46", "id": "3D04811CD7C9B337157F4E06A7E1B2584D270E7E69B726B8521CEEE31E88AF6A", "href": "https://www.ibm.com/support/pages/node/6409368", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2023-02-27T17:45:39", "description": "## Summary\n\nIBM WebSphere Application Server is shipped with IBM Security Access Manager for Enterprise Single Sign-On. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nIBM Security Access Manager for Enterprise Single Sign-On 8.2.0, 8.2.1, 8.2.2\n\n \n\n\n## Remediation/Fixes\n\n**Principal Product and Version(s)**| **Affected Supporting Product and Version**| **Affected Supporting Product Security Bulletin** \n---|---|--- \nIBM Security Access Manager for Enterprise Single Sign-On 8.2.0| IBM WebSphere Application Server 7.0| [Security Bulletin: Information disclosure in WebSphere Application Server (CVE-2020-4329)](<https://www.ibm.com/support/pages/node/6201862> \"Security Bulletin: Information disclosure in WebSphere Application Server \$CVE-2020-4329\$\" ) \nIBM Security Access Manager for Enterprise Single Sign-On 8.2.1| IBM WebSphere Application Server 7.0, 8.5| [Security Bulletin: Information disclosure in WebSphere Application Server (CVE-2020-4329)](<https://www.ibm.com/support/pages/node/6201862> \"Security Bulletin: Information disclosure in WebSphere Application Server \$CVE-2020-4329\$\" ) \nIBM Security Access Manager for Enterprise Single Sign-On 8.2.2| IBM WebSphere Application Server 8.5| [Security Bulletin: Information disclosure in WebSphere Application Server (CVE-2020-4329)](<https://www.ibm.com/support/pages/node/6201862> \"Security Bulletin: Information disclosure in WebSphere Application Server \$CVE-2020-4329\$\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2020-05-14T16:46:44", "type": "ibm", "title": "Security Bulletin: A Security Vulnerability Has Been Identified In IBM WebSphere Application Server shipped with IBM Security Access Manager for Enterprise Single Sign-On (CVE-2020-4329)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-4329"], "modified": "2020-05-14T16:46:44", "id": "4C530226C2C82FCA90A29F26A05A9D0BF640534450027EDE7596BB30563A3845", "href": "https://www.ibm.com/support/pages/node/6209267", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2023-02-27T17:45:29", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM Case Manager. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Case Manager| 5.3CD \nIBM Case Manager| 5.2.1 \nIBM Case Manager| 5.2.0 \nIBM Case Manager| 5.1.1 \n \n## Remediation/Fixes\n\nPlease consult the security bulletin [Security Bulletin: Information disclosure in WebSphere Application Server (CVE-2020-4329)](<https://www.ibm.com/support/pages/node/6201862> \"Security Bulletin: Information disclosure in WebSphere Application Server \$CVE-2020-4329\$\" ) for vulnerability details and information about fixes.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2020-05-28T21:17:45", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Case Manager (CVE-2020-4329)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-4329"], "modified": "2020-05-28T21:17:45", "id": "E8347ACAF81B4BEE7BCA21CC0C47E2063445B19E9FA4E4431CEF5FAB5FF7AE86", "href": "https://www.ibm.com/support/pages/node/6202519", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2023-02-27T21:54:34", "description": "## Summary\n\nWebsphere Application Server is shipped with Predictive Customer Intelligence. Information about a security vulnerability affecting Websphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nPredictive Customer Intelligence versions 1.0, 1.0.1, 1.1, 1.1.1, 1.1.2\n\n \n\n\n## Remediation/Fixes\n\nPrincipal Product and Version(s) | Affected Supporting Product and Version| Affected Supporting Product Security Bulletin \n---|---|--- \nPredictive Customer Intelligence 1.0 and 1.0.1| Websphere Application Server 8.5.5| [Security Bulletin: Information disclosure in WebSphere Application Server (CVE-2020-4329)](<https://www.ibm.com/support/pages/node/6201862> \"Security Bulletin: Information disclosure in WebSphere Application Server \$CVE-2020-4329\$\" ) \nPredictive Customer Intelligence 1.1 and 1.1.1| Websphere Application Server 8.5.5.6| [Security Bulletin: Information disclosure in WebSphere Application Server (CVE-2020-4329)](<https://www.ibm.com/support/pages/node/6201862> \"Security Bulletin: Information disclosure in WebSphere Application Server \$CVE-2020-4329\$\" ) \nPredictive Customer Intelligence 1.1.2| Websphere Application Server 9.0.0.4| [Security Bulletin: Information disclosure in WebSphere Application Server (CVE-2020-4329)](<https://www.ibm.com/support/pages/node/6201862> \"Security Bulletin: Information disclosure in WebSphere Application Server \$CVE-2020-4329\$\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2020-06-23T19:40:49", "type": "ibm", "title": "Security Bulletin: A Security Vulnerability has been Identified in Websphere Application Server Shipped with Predictive Customer Intelligence (CVE-2020-4329)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-4329"], "modified": "2020-06-23T19:40:49", "id": "B2A50DF3EC1594620E8A37ADF929CB730D5142281927CA3F2AE3C4F02F910D8B", "href": "https://www.ibm.com/support/pages/node/6237860", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2023-02-27T21:48:26", "description": "## Summary\n\nA potential vulnerability has been identified related to IBM WebSphere Application Server. Refer to details for additional information.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2020-4329](<https://vulners.com/cve/CVE-2020-4329>) \n** DESCRIPTION: **IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0 and Liberty 17.0.0.3 through 20.0.0.4 could allow a remote, authenticated attacker to obtain sensitive information, caused by improper parameter checking. This could be exploited to conduct spoofing attacks. IBM X-Force ID: 177841. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/177841](<https://exchange.xforce.ibmcloud.com/vulnerabilities/177841>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nWA for ICP| 1.4.0, 1.4.1, 1.4.2 \n \n\n\n## Remediation/Fixes\n\nUpgrade to the latest (1.5.0) release of WA for CP4D which maintains backward compatibility with the versions listed above.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2020-12-09T16:32:11", "type": "ibm", "title": "Security Bulletin: Potential vulnerability with IBM WebSphere Application Server", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-4329"], "modified": "2020-12-09T16:32:11", "id": "0E85F055F69C36F1AFCDA9AA4C7476B24B7826864D94024DCA43C8F828A3D547", "href": "https://www.ibm.com/support/pages/node/6378000", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2023-02-27T21:51:47", "description": "## Summary\n\nIBM WebSphere Application Server is shipped with IBM Tivoli Netcool Configuration Manager version 6.4.1. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nITNCM| 6.4.1 \n \n\n\n## Remediation/Fixes\n\nAffected Product(s)| Version(s)| Remediation \n---|---|--- \nITNCM| 6.4.1| [Information disclosure in WebSphere Application Server](<https://www.ibm.com/support/pages/node/6201862> \"Information disclosure in WebSphere Application Server\" )\n\nSee section: **For V7.0.0.0 through 7.0.0.45:** \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2020-08-24T12:51:39", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server, which is shipped with IBM Tivoli Netcool Configuration Manager (CVE-2020-4329)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2020-4329"], "modified": "2020-08-24T12:51:39", "id": "3F0DB6A6B43161E807AC17CE719A18BD26C81F3134F4959AA51E211376F74BD1", "href": "https://www.ibm.com/support/pages/node/6320869", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-02-27T21:54:17", "description": "## Summary\n\nIBM WebSphere Application Server is shipped with IBM Tivoli Netcool Impact. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nIBM Tivoli Netcool Impact 7.1.0.0 - 7.1.0.19\n\n \n\n\n## Remediation/Fixes\n\nRefer to the following security bulletin for vulnerability details and information about fixes addressed by IBM WebSphere Application Server which is shipped with IBM Tivoli Netcool Impact. \n\nPrincipal Product and Version(s)| Affected Supporting Product and Version| Affected Supporting Product Security Bulletin \n---|---|--- \nIBM Tivoli Netcool Impact 7.1.0| IBM WebSphere Application Server Liberty| [Security Bulletin: Information disclosure in WebSphere Application Server (CVE-2020-4329)](<https://www.ibm.com/support/pages/node/6201862> \"Security Bulletin: Information disclosure in WebSphere Application Server \$CVE-2020-4329\$\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2020-07-01T10:32:11", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Tivoli Netcool Impact (CVE-2020-4329)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-4329"], "modified": "2020-07-01T10:32:11", "id": "4BFA3A2F692D8FC8DE4F07BCA56AA58679411D74D1AC3CD28957EF6A817C1264", "href": "https://www.ibm.com/support/pages/node/6242964", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2023-02-27T21:54:51", "description": "## Summary\n\nIBM WebSphere Application Server (WAS) is shipped with IBM Security Identity Manager (ISIM). Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s) Version(s) | Affected Supporting Product(s) Version(s) \n---|--- \nISIM 6.0.0 | WAS 8.5 \nISIM 6.0.2 | WAS 9 \n \n## Remediation/Fixes\n\nPrincipal Product and Version(s) | Affected Supporting Product and Version(s) | Affected Supporting Product Security Bulletin \n---|---|--- \n \nISIM 6.0.0\n\nISIM 6.0.2\n\n| WAS 8.5\n\nWAS 9.0\n\n| [Security Bulletin: Information disclosure in WebSphere Application Server (CVE-2020-4329)](<https://www.ibm.com/support/pages/node/6201862> \"Security Bulletin: Information disclosure in WebSphere Application Server \$CVE-2020-4329\$\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2020-06-15T16:55:47", "type": "ibm", "title": "Security Bulletin: A vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Security Identity Manager(CVE-2020-4329)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-4329"], "modified": "2020-06-15T16:55:47", "id": "20FC8D083652BD9620AA16329F2B0D169CF687E1B0F904A9AC013C7517AD365E", "href": "https://www.ibm.com/support/pages/node/6217539", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2023-02-27T17:45:45", "description": "## Summary\n\nIBM WebSphere Application Server (WAS) is shipped as a component of IBM Rational ClearCase. Information about security vulnerabilities affecting WAS have been published in security bulletins.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Rational ClearCase| 8.0.0 \nIBM Rational ClearCase| 9.0 \nIBM Rational ClearCase| 9.0.1 \nIBM Rational ClearCase| 9.0.2 \nIBM Rational ClearCase| 8.0.1 \n \nIBM Rational ClearCase, ClearCase Remote Client (CCRC) WAN server component.\n\n**Versions 8.0.0.x, 8.0.1.x, 9.0.0.x, 9.0.1.x, 9.0.2.x:**\n\n * These vulnerabilities only applies to the CCRC WAN server component, and only for certain levels of WebSphere Application Server.\n\n \n\n\n## Remediation/Fixes\n\nRefer to the following security bulletin(s) for vulnerability details and information about fixes addressed by IBM WebSphere Application Server (WAS) which is shipped with IBM Rational ClearCase. \n\n**Principal Product and Version(s)**| **Affected Supporting Product and Version**| **Affected Supporting Product Security Bulletin** \n---|---|--- \nIBM Rational ClearCase, versions 8.0.0.x, 8.0.1.x, 9.0.0.x, 9.0.1.x, 9.0.2.x| IBM WebSphere Application Server versions 7.0, 8.0, 8.5, and 9.0.| \n\n[Security Bulletin: Information Disclosure in WebSphere Application Server Admin Console (CVE-2020-4329)](<https://www.ibm.com/support/pages/node/6201862> \"Security Bulletin: Information Disclosure in WebSphere Application Server Admin Console \$CVE-2020-4329\$\" ) \n \n**ClearCase Versions**\n\n| \n\n**Applying the fix** \n \n---|--- \n8.0.0.x, 8.0.1.x, 9.0.0.x, 9.0.1.x, 9.0.2.x| \n\n 1. Determine the WAS version used by your CCRC WAN server. Navigate to the CCRC profile directory (either the profile you specified when installing ClearCase, or `<ccase-home>/common/ccrcprofile`), then execute the script: `bin/versionInfo.sh `(UNIX) or `bin\\versionInfo.bat `(Windows). The output includes a section \"IBM WebSphere Application Server\". Make note of the version listed in this section. Check your installed version of IBM WebSphere Application Server against this bulletin's list of vulnerable versions.\n 2. Identify the latest available fixes (per the bulletin(s) listed above) for the version of WAS used for CCRC WAN server.\n 3. Apply the appropriate WebSphere Application Server fix directly to your CCRC WAN server host. No ClearCase-specific steps are necessary. \n \n_For 8.0.x and earlier releases, IBM recommends upgrading to a fixed, supported version/release/platform of the product._\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2020-05-08T18:20:27", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Rational ClearCase (CVE-2020-4329)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-4329"], "modified": "2020-05-08T18:20:27", "id": "958D3B4A5A0C1FD39CFF6BC608C4A1729951FA8F9C647E5838B8F638A26061A5", "href": "https://www.ibm.com/support/pages/node/6208019", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2023-02-27T17:44:26", "description": "## Summary\n\nWebSphere Application Server is shipped with IBM Tivoli System Automation Application Manager. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Tivoli System Automation Application Manager| 4.1 \n \n## Remediation/Fixes\n\nRefer to the following security bulletins for vulnerability details and information about fixes addressed by WebSphere Application Server which is shipped with IBM Tivoli System Automation Application Manager.\n\nPrincipal Product and Version(s)| Affected Supporting Product and Version| Affected Supporting Product Security Bulletin \n---|---|--- \nIBM Tivoli System Automation Application Manager 4.1| WebSphere Application Server 8.5| \n\n# [Security Bulletin: Information disclosure in WebSphere Application Server (CVE-2020-4329)](<https://www.ibm.com/support/pages/node/6201862> \"Security Bulletin: Information disclosure in WebSphere Application Server \$CVE-2020-4329\$\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2020-07-24T22:19:08", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2020-4329)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-4329"], "modified": "2020-07-24T22:19:08", "id": "D414FED16B358AD7FE6B00E67C7AA1DB43FD19DDFB901B5F7ABA9F0E20BEB6EC", "href": "https://www.ibm.com/support/pages/node/6203774", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2023-02-27T21:55:02", "description": "## Summary\n\nWebSphere Application Server is shipped as a component of IBM Security Key Lifecycle Manager (SKLM). Information about a security vulnerabilities affecting WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s) | Version(s) \n---|--- \nIBM Security Key Lifecycle Manager | 4.0 \n \n## Remediation/Fixes\n\nPlease consult the following Security Bulletins: \n\n[Security Bulletin: Information disclosure in WebSphere Application Server (CVE-2020-4329)](<https://www.ibm.com/support/pages/security-bulletin-information-disclosure-websphere-application-server-cve-2020-4329> \"Security Bulletin: Information disclosure in WebSphere Application Server \$CVE-2020-4329\$\" )\n\nfor vulnerability details and information about fixes.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2020-06-10T19:25:27", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Security Key Lifecycle Manager (SKLM) (CVE-2020-4329)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-4329"], "modified": "2020-06-10T19:25:27", "id": "4F2D82A4F724C8AC105424E03F5FBC319EFED1ECC4C4FC502E3EE79470EB24D9", "href": "https://www.ibm.com/support/pages/node/6224112", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2023-02-27T17:45:58", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM Security Key Lifecycle Manager (SKLM). Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\n**Affected Product(s)** | **Version(s)** | **Affected Supporting Product and Version ** \n---|---|--- \nIBM Security Key Lifecycle Manager | 4.0 | WebSphere\u00ae Application Server, Version 9.0.5.0 \nIBM Security Key Lifecycle Manager | 3.0.1 | WebSphere Application Server v9.0.0.5 \nIBM Security Key Lifecycle Manager | 3.0 | WebSphere Application Server v9.0.0.5 \nIBM Security Key Lifecycle Manager | 2.7 | WebSphere Application Server v9.0.0.1 \nIBM Security Key Lifecycle Manager | 2.6 | WebSphere Application Server v8.5.5.7 \n \n## Remediation/Fixes\n\nPlease consult the security bulletin [Security Bulletin: Information disclosure in WebSphere Application Server (CVE-2020-4329)](<https://www.ibm.com/support/pages/security-bulletin-information-disclosure-websphere-application-server-cve-2020-4329> \"Security Bulletin: Information disclosure in WebSphere Application Server \$CVE-2020-4329\$\" ) for vulnerability details and information about fixes.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2020-04-30T20:08:13", "type": "ibm", "title": "Security Bulletin: Security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Security Key Lifecycle Manager (SKLM) (CVE-2020-4329)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-4329"], "modified": "2020-04-30T20:08:13", "id": "28F8FE772F7744066E89072F94BE119B652D05DADA694784B7CCD72965C551F7", "href": "https://www.ibm.com/support/pages/node/6204115", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2023-02-27T21:54:45", "description": "## Summary\n\nIBM WebSphere Application Server is shipped with IBM Tivoli Business Service Manager. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nIBM Tivoli Business Service Manager 6.1.0 all Fixpacks \nIBM Tivoli Business Service Manager 6.1.1 all Fixpacks \nIBM Tivoli Business Service Manager 6.2.0.0 \u2013 6.2.0.2 Interim Fix 1\n\n \n\n\n## Remediation/Fixes\n\nRefer to the following security bulletin for vulnerability details and information about fixes addressed by IBM WebSphere Application Server which is shipped with IBM Tivoli Business Service Manager. \n\nPrincipal Product and Version(s)| Affected Supporting Product and Version| Affected Supporting Product Security Bulletin \n---|---|--- \nIBM Tivoli Business Service Manager 6.1.0 \nIBM Tivoli Business Service Manager 6.1.1| IBM WebSphere Application Server 7.0| [Security Bulletin: Information disclosure in WebSphere Application Server (CVE-2020-4329)](<https://www.ibm.com/support/pages/node/6201862> \"Security Bulletin: Information disclosure in WebSphere Application Server \$CVE-2020-4329\$\" ) \nIBM Tivoli Business Service Manager 6.2.0| IBM WebSphere Application Server 8.5| [Security Bulletin: Information disclosure in WebSphere Application Server (CVE-2020-4329)](<https://www.ibm.com/support/pages/node/6201862> \"Security Bulletin: Information disclosure in WebSphere Application Server \$CVE-2020-4329\$\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2020-06-19T05:36:25", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Tivoli Business Service Manager (CVE-2020-4329)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-4329"], "modified": "2020-06-19T05:36:25", "id": "51D185DB29AE6E4FAD71119D872DA0F52814A6C17A59AD1AF9B79D0668C33FBB", "href": "https://www.ibm.com/support/pages/node/6235662", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2023-02-27T21:54:23", "description": "## Summary\n\nThere is a vulnerability in IBM WebSphere Application Server Liberty used by IBM License Metric Tool. This issue allows to conduct spoofing attacks.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2020-4329](<https://vulners.com/cve/CVE-2020-4329>) \n** DESCRIPTION: **IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0 and Liberty 17.0.0.3 through 20.0.0.4 could allow a remote, authenticated attacker to obtain sensitive information, caused by improper parameter checking. This could be exploited to conduct spoofing attacks. IBM X-Force ID: 177841. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/177841](<https://exchange.xforce.ibmcloud.com/vulnerabilities/177841>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM License Metric Tool| All \n \n\n\n## Remediation/Fixes\n\nUpgrade to version 9.2.20 or later using the following procedure: \n\nIn BigFix console, expand IBM License Reporting (ILMT) node under Sites node in the tree panel. \nClick Fixlets and Tasks node. Fixlets and Tasks panel will be displayed on the right. \nIn the Fixlets and Tasks panel locate Upgrade to the latest version of IBM License Metric Tool 9.x fixlet and run it against the computer that hosts your server.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2020-06-30T09:23:01", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Liberty Profile shipped with IBM License Metric Tool v9 (CVE-2020-4329).", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-4329"], "modified": "2020-06-30T09:23:01", "id": "3BEB441D10779A1942BF02B10D6A1555A8433CFB0B2D08C01720323538A45578", "href": "https://www.ibm.com/support/pages/node/6242122", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2023-02-27T21:51:49", "description": "## Summary\n\nIBM WebSphere Application Server is shipped with IBM Tivoli Network Manager version 4.1.1 and version 3.9. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nITNM| 4.1.1 \nITNM| 3.9 \n \n\n\n## Remediation/Fixes\n\nAffected Product(s)| Version(s)| Remediation \n---|---|--- \nITNM| 4.1.1| [Information disclosure in WebSphere Application Server](<https://www.ibm.com/support/pages/node/6201862> \"Information disclosure in WebSphere Application Server\" )\n\nSee section: **For V7.0.0.0 through 7.0.0.45:** \n \nITNM| 3.9| \n\n[Information disclosure in WebSphere Application Server](<https://www.ibm.com/support/pages/node/6201862> \"Information disclosure in WebSphere Application Server\" )\n\nSee section: **For V7.0.0.0 through 7.0.0.45:** \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2020-08-24T12:30:17", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server, which is shipped with IBM Tivoli Network Manager IP Edition (CVE-2020-4329)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2020-4329"], "modified": "2020-08-24T12:30:17", "id": "21A78502CF868CEFFA6DC5C776E16EE0EDF33BAA9E7F3DE611912CC218BF6C9D", "href": "https://www.ibm.com/support/pages/node/6320865", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-02-27T17:46:02", "description": "## Summary\n\nWebSphere Application Server is shipped as a component of IBM WebSphere Application Server Patterns. Information about security vulnerabilities affecting WebSphere Application Server have been published in a security bulletin. \n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\n## \n\n**Principal Product and Version(s)**\n\n| \n\n**Affected Supporting Product and Version** \n \n---|--- \nWebSphere Application Server Patterns, all versions| WebSphere Application Server: \n\n * Liberty\n * 8.0\n * 8.5\n * 9.0 \n \n \n\n\n## Remediation/Fixes\n\nPlease consult the following security bulletin for vulnerability details and information about fixes \n\n * [Information disclosure in WebSphere Application Server (CVE-2020-4329)](<https://www.ibm.com/support/pages/node/6201862> \"Information disclosure in WebSphere Application Server \$CVE-2020-4329\$\" )\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2020-04-28T14:31:48", "type": "ibm", "title": "Security Bulletin: Information disclosure in WebSphere Application Server shipped with IBM WebSphere Application Server Patterns (CVE-2020-4329)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-4329"], "modified": "2020-04-28T14:31:48", "id": "AE9FCFFF0398E144DDAD797967457B662931846E8FEE6194A2655AA5B730BCBC", "href": "https://www.ibm.com/support/pages/node/6202482", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2023-02-27T21:47:37", "description": "## Summary\n\nInformation disclosure in WebSphere Application Server. It has been addressed with https://www.ibm.com/support/pages/security-bulletin-information-disclosure-websphere-application-server-cve-2020-4329\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2020-4329](<https://vulners.com/cve/CVE-2020-4329>) \n** DESCRIPTION: **IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0 and Liberty 17.0.0.3 through 20.0.0.4 could allow a remote, authenticated attacker to obtain sensitive information, caused by improper parameter checking. This could be exploited to conduct spoofing attacks. IBM X-Force ID: 177841. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/177841](<https://exchange.xforce.ibmcloud.com/vulnerabilities/177841>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Workload Scheduler| 9.5 \n \n\n\n## Remediation/Fixes\n\nAPAR IJ30011 has been opened to address CVE-2020-4329. \nApar IJ30011 has been included in IBM Workload Scheduler 9.5 FP03 and it is already available on FixCentral.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2021-01-11T08:13:56", "type": "ibm", "title": "Security Bulletin: Information disclosure in WebSphere Application Server (CVE-2020-4329) may affect IBM Workload Scheduler", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-4329"], "modified": "2021-01-11T08:13:56", "id": "C22CC0C04AA48102CB2EBEF5AD691FDAD7FE1267768536619BBE66401698B809", "href": "https://www.ibm.com/support/pages/node/6402479", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2023-02-27T21:45:12", "description": "## Summary\n\nIBM Security Directory Suite (SDS VA) has addressed the following vulnerability due to remote, authenticated attacker to obtain sensitive information, caused by improper parameter checking. \n\n## Vulnerability Details\n\n** CVEID: **[CVE-2020-4329](<https://vulners.com/cve/CVE-2020-4329>) \n** DESCRIPTION: **IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0 and Liberty 17.0.0.3 through 20.0.0.4 could allow a remote, authenticated attacker to obtain sensitive information, caused by improper parameter checking. This could be exploited to conduct spoofing attacks. IBM X-Force ID: 177841. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/177841](<https://exchange.xforce.ibmcloud.com/vulnerabilities/177841>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nSDS VA| 8.0.1 \n \n\n\n## Remediation/Fixes\n\n## \n\n\n**Product** | **VRMF**| **Remediation** \n---|---|--- \nIBM Security Directory Suite| 8.0.1.15| [8.0.1.15-ISS-ISDS_20210108-0043](<https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FTivoli%2FIBM+Security+Directory+Suite&fixids=8.0.1.15-ISS-ISDS_20210108-0043.pkg&source=SAR&function=fixId&parent=IBM%20Security> \"8.0.1.15-ISS-ISDS_20210108-0043\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2021-03-16T20:01:45", "type": "ibm", "title": "Security Bulletin: IBM Security Directory Suite is affected by a vulnerability (CVE-2020-4329)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-4329"], "modified": "2021-03-16T20:01:45", "id": "CE7B09FDAB4AD52C4D2DF48D876D11F77AB8D075D2126DF86BCFAB3FD1F6D522", "href": "https://www.ibm.com/support/pages/node/6430721", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2023-02-27T21:53:35", "description": "## Summary\n\nSecurity vulnerability affects IBM Watson Explorer.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2020-4329](<https://vulners.com/cve/CVE-2020-4329>) \n** DESCRIPTION: **IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0 and Liberty 17.0.0.3 through 20.0.0.4 could allow a remote, authenticated attacker to obtain sensitive information, caused by improper parameter checking. This could be exploited to conduct spoofing attacks. IBM X-Force ID: 177841. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/177841](<https://exchange.xforce.ibmcloud.com/vulnerabilities/177841>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Watson Explorer Deep Analytics Edition oneWEX Components| \n\n12.0.0.0, 12.0.0.1\n\n12.0.1,\n\n12.0.2.0 - 12.0.2.2,\n\n12.0.3.0 - 12.0.3.3 \n \nIBM Watson Explorer Deep Analytics Edition Analytical Components| \n\n12.0.0.0,\n\n12.0.1,\n\n12.0.2.0 - 12.0.2.2,\n\n12.0.3.0 - 12.0.3.3 \n \nIBM Watson Explorer Deep Analytics Edition Annotation Administration Console| \n\n12.0.0.0,\n\n12.0.1,\n\n12.0.2.0 - 12.0.2.2,\n\n12.0.3.0 - 12.0.3.3 \n \nIBM Watson Explorer Analytical Components| 11.0.0.0 - 11.0.0.3, \n11.0.1, \n11.0.2.0 - 11.0.2.7 \nIBM Watson Explorer Foundational Components Annotation Administration Console| 11.0.0.0 - 11.0.0.3, \n11.0.1, \n11.0.2.0 - 11.0.2.7 \nIBM Watson Explorer Analytical Components| 10.0.0.0 - 10.0.0.2 \nIBM Watson Explorer Foundational Components Annotation Administration Console| 10.0.0.0 - 10.0.0.6 \n \n## Remediation/Fixes\n\n**Affected Product**| **Affected Versions**| **Fix** \n---|---|--- \nIBM Watson Explorer DAE \noneWEX Components| \n\n12.0.0.0, 12.0.0.1\n\n12.0.1,\n\n12.0.2.0 - 12.0.2.2,\n\n12.0.3.0 - 12.0.3.3\n\n| \n\nUpgrade to Version 12.0.3.4. \n\nSee [Watson Explorer Version 12.0.3.4 oneWEX](<https://www.ibm.com/support/pages/node/6244512>) for download information and instructions. \n \nIBM Watson Explorer DAE Analytical Components| \n\n12.0.0.0,\n\n12.0.1,\n\n12.0.2.0 - 12.0.2.2,\n\n12.0.3.0 - 12.0.3.3\n\n| \n\nUpgrade to Version 12.0.3.4. \n\nSee [Watson Explorer Version 12.0.3.4 Analytical Components](<https://www.ibm.com/support/pages/node/6244516>) for download information and instructions. \n \nIBM Watson Explorer DAE Foundational Components Annotation Administration Console| \n\n12.0.0.0,\n\n12.0.1,\n\n12.0.2.0 - 12.0.2.2,\n\n12.0.3.0 - 12.0.3.3\n\n| \n\nUpgrade to Version 12.0.3.4. \n\nSee [Watson Explorer Version 12.0.3.4 Foundational Components](<https://www.ibm.com/support/pages/node/6244514>) for download information and instructions. \n \nIBM Watson Explorer Analytical Components| 11.0.0.0 - 11.0.0.3, \n11.0.1, \n11.0.2.0 - 11.0.2.7| Upgrade to Watson Explorer Analytical Components Version 11.0.2 Fix Pack 8. For information about this version, and links to the software and release notes, see the [download document](<https://www.ibm.com/support/pages/node/6244518>). For information about upgrading, see the [upgrade procedures](<http://www.ibm.com/support/docview.wss?uid=swg27049072>). \nIBM Watson Explorer Foundational Components Annotation Administration Console| 11.0.0.0 - 11.0.0.3, \n11.0.1, \n11.0.2.0 - 11.0.2.7| Upgrade to Watson Explorer Foundational Components Annotation Administration Console Version 11.0.2 Fix Pack 8. For information about this version, and links to the software and release notes, see the [download document](<https://www.ibm.com/support/pages/node/6244520>). For information about upgrading, see the [upgrade procedures](<http://www.ibm.com/support/docview.wss?uid=swg27049072>). \nIBM Watson Explorer Analytical Components| 10.0.0.0 - 10.0.0.2| **Important:** Perform these steps as a Watson Explorer Analytical Components administrative user, typically esadmin. \n\n 1. If not already installed, install V10.0 Fix Pack 2 (see the Fix Pack [download document](<http://www.ibm.com/support/docview.wss?uid=swg24039430>)).\n 2. Download the package from [Fix Central](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Watson%2BGroup&product=ibm/Information+Management/InfoSphere+Data+Explorer&release=10.0.0.2&platform=All&function=all#Others>): interim fix **10.0.0.2-WS-WatsonExplorer-AEAnalytical-IF008** and extract the contents of the fix into a temporary directory.\n 3. See the [Updating WebSphere Liberty and IBM Java Runtime used in IBM Watson Explorer Analytical Components](<https://www.ibm.com/support/pages/node/6250385>) for detailed instructions how to apply the fix. \nIBM Watson Explorer Foundational Components Annotation Administration Console| 10.0.0.0 - 10.0.0.6| \n\n 1. If not already installed, install Watson Explorer Foundational Components Annotation Administration Console Version 10.0 Fix Pack 6 (see the [download document](<https://www.ibm.com/support/pages/node/877462>)).\n 2. Download the package for your edition (Enterprise or Advanced) from [Fix Central](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Watson%2BGroup&product=ibm/Information+Management/InfoSphere+Data+Explorer&release=10.0.0.6&platform=All&function=all#Others>): interim fix **10.0.0.6-WS-WatsonExplorer-<Edition>FoundationalAAC-IF003** and extract the contents of the fix into a temporary directory.\n 3. See the [Updating WebSphere Liberty and IBM Java Runtime used in IBM Watson Explorer Analytical Components](<https://www.ibm.com/support/pages/node/6250385>) for detailed instructions how to apply the fix. \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2020-07-22T06:09:43", "type": "ibm", "title": "Security Bulletin: Vulnerability exists in Watson Explorer (CVE-2020-4329)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-4329"], "modified": "2020-07-22T06:09:43", "id": "C9DE4845305DF0F83378929053ED892F37959591039ECF2D78BF547B6F112585", "href": "https://www.ibm.com/support/pages/node/6250343", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2023-02-27T21:52:12", "description": "## Summary\n\nInformation disclosure in WebSphere Liberty component used by the Event Streams REST implementation\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2020-4329](<https://vulners.com/cve/CVE-2020-4329>) \n** DESCRIPTION: **IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0 and Liberty 17.0.0.3 through 20.0.0.4 could allow a remote, authenticated attacker to obtain sensitive information, caused by improper parameter checking. This could be exploited to conduct spoofing attacks. IBM X-Force ID: 177841. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/177841](<https://exchange.xforce.ibmcloud.com/vulnerabilities/177841>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Event Streams| 2019.2.1, 2019.4.1, 2019.4.2 \nIBM Event Streams in IBM Cloud Pak for Integration| 2019.2.2, 2019.2.3, 2019.4.1, 2019.4.2 \n \n\n\n## Remediation/Fixes\n\nUpgrade from IBM Event Streams 2019.2.1, IBM Event Streams 2019.4.1 and IBM Event Streams 2019.4.2 to the [latest Fix Pack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software&product=ibm/Other+software/IBM+Event+Streams&release=All&platform=All&function=all> \"latest Fix Pack\" ). \n\nUpgrade IBM Event Streams 2019.2.2, IBM Event Streams 2019.2.3, IBM Event Streams 2019.4.1 and IBM Event Streams 2019.4.2 in IBM Cloud Pak for Integration by downloading IBM Event Streams 2019.4.3 in IBM Cloud Pak for Integration 2020.1.1.1 from IBM Entitled Registry\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2020-08-10T12:47:32", "type": "ibm", "title": "Security Bulletin: Information disclosure in WebSphere Liberty (CVE-2020-4329)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-4329"], "modified": "2020-08-10T12:47:32", "id": "6A0D9421C284C29C699BD48273C99B57CF4E764A76760B5A163F68BA4E03AA6F", "href": "https://www.ibm.com/support/pages/node/6257791", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2023-02-27T21:45:39", "description": "## Summary\n\nIBM Security Privileged Identity Manager has addressed an issue for Information disclosure in WebSphere Application Server - Liberty.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2020-4329](<https://vulners.com/cve/CVE-2020-4329>) \n** DESCRIPTION: **IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0 and Liberty 17.0.0.3 through 20.0.0.4 could allow a remote, authenticated attacker to obtain sensitive information, caused by improper parameter checking. This could be exploited to conduct spoofing attacks. IBM X-Force ID: 177841. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/177841](<https://exchange.xforce.ibmcloud.com/vulnerabilities/177841>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nISPIM| 2.1.1 \nISPIM| 2.0.2 \nISPIM| 2.1.0 \n \n\n\n## Remediation/Fixes\n\nAffected Product(s)| Version(s) | Remediation \n---|---|--- \nISPIM| 2.1.1| [2.1.1-ISS-ISPIM-VA-FP0006](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Tivoli/IBM+Security+Privileged+Identity+Manager&release=2.1.1&platform=All&function=fixId&fixids=2.1.1-ISS-ISPIM-VA-FP0006> \"\" ) \n \nISPIM| 2.1.0| [2.1.0-ISS-ISPIM-VA-FP0013](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Tivoli/IBM+Security+Privileged+Identity+Manager&release=2.1.1&platform=All&function=fixId&fixids=2.1.0-ISS-ISPIM-VA-FP0013&includeRequisites=1&includeSupersedes=0&downloadMethod=ddp&source=SAR> \"\" ) \n---|---|--- \nISPIM| 2.0.2| [2.0.2-ISS-ISPIM-VA-FP0013](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=Security%2BSystems&product=ibm/Tivoli/IBM+Security+Privileged+Identity+Manager&release=2.0.2&platform=Linux&function=fixId&fixids=2.0.2-ISS-ISPIM-VA-FP0013&includeRequisites=1&includeSup> \"\" ) \n---|---|--- \n \n \n\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2021-03-09T09:29:25", "type": "ibm", "title": "Security Bulletin: IBM Security Privileged Identity Manager is affected by an information disclosure (CVE-2020-4329)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-4329"], "modified": "2021-03-09T09:29:25", "id": "EE8D3A0FEFA67706787A5BC66641D09B2650AEC307F61637154D7B7341BF2EB2", "href": "https://www.ibm.com/support/pages/node/6427555", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2023-02-27T21:50:30", "description": "## Summary\n\nA security vulnerability has been identified In WebSphere Liberty Server shipped with IBM Global Mailbox.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2020-4329](<https://vulners.com/cve/CVE-2020-4329>) \n** DESCRIPTION: **IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0 and Liberty 17.0.0.3 through 20.0.0.4 could allow a remote, authenticated attacker to obtain sensitive information, caused by improper parameter checking. This could be exploited to conduct spoofing attacks. IBM X-Force ID: 177841. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/177841](<https://exchange.xforce.ibmcloud.com/vulnerabilities/177841>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Global High Availability Mailbox| 6.0.2 \n \n\n\n## Remediation/Fixes\n\nPrincipal Product and Version(s)\n\n| \n\nAffected Supporting Product and Version\n\n| \n\nAffected Supporting Product Security Bulletin \n \n---|---|--- \n \nGlobal Mailbox version 6.1.0.0 \n\n| \n\nWebsphere Liberty version 20.0.0.5\n\n| \n\n[CVE-2020-4329](<https://vulners.com/cve/CVE-2020-4329>) \n \nB2Bi v6.1.0.0 is now available on Passport Advantage and Fix Central.\n\nHere are the Fix Central links for IIM images.\n\nB2Bi ( Media +SDK)\n\n[https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FOther+software%2FSterling+B2B+Integrator&fixids=6.1.0.0-OtherSoftware-B2Bi-All&source=dbluesearch&function=fixId&parent=ibm/Other%20software](<https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FOther+software%2FSterling+B2B+Integrator&fixids=6.1.0.0-OtherSoftware-B2Bi-All&source=dbluesearch&function=fixId&parent=ibm/Other%20software>)\n\nSFG ( Media +SDK)\n\n[https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FOther+software%2FSterling+File+Gateway&fixids=6.1.0.0-OtherSoftware-SFG-All&source=SAR&function=fixId&parent=ibm/Other%20software](<https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FOther+software%2FSterling+File+Gateway&fixids=6.1.0.0-OtherSoftware-SFG-All&source=SAR&function=fixId&parent=ibm/Other%20software>)\n\nSwift package\n\n[https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FOther+software%2FSterling+B2B+Integrator&fixids=6.1.0.0-OtherSoftware-all-Swift2016&source=SAR&function=fixId&parent=ibm/Other%20software](<https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FOther+software%2FSterling+B2B+Integrator&fixids=6.1.0.0-OtherSoftware-all-Swift2016&source=SAR&function=fixId&parent=ibm/Other%20software>)\n\nStandard Executables\n\n[https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FOther+software%2FSterling+B2B+Integrator&fixids=6.1.0.0-OtherSoftware-all-Standards-exe-MapEditor-exe&source=SAR&function=fixId&parent=ibm/Other%20software](<https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FOther+software%2FSterling+B2B+Integrator&fixids=6.1.0.0-OtherSoftware-all-Standards-exe-MapEditor-exe&source=SAR&function=fixId&parent=ibm/Other%20software>)\n\nAll above executables as well as **Certified Container images** are also available on Passport Advantage now.\n\nNote:- For 6.1.0.0 we did not publish docker images.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2020-09-29T08:51:15", "type": "ibm", "title": "Security Bulletin: Security vulnerability in WebSphere Liberty Server shipped with IBM Global Mailbox (CVE-2020-4329)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-4329"], "modified": "2020-09-29T08:51:15", "id": "A5681F729F28C250FF23C2C5EBBDC80244D85B4A5269BFE579C846E02438C673", "href": "https://www.ibm.com/support/pages/node/6339077", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2023-02-27T17:45:50", "description": "## Summary\n\nIBM WebSphere\u00ae Application Server is shipped with IBM\u00ae Intelligent Operations Center. Information about a security vulnerability affecting IBM WebSphere\u00ae Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\n**Affected Product(s)**| **Version(s)** \n---|--- \n \nIBM\u00ae Intelligent Operations Center\n\nV1.5.0, V1.5.0.1, V1.5.0.2, V1.6.0, V1.6.0.1, V1.6.0.2, V1.6.0.3, V5.1.0, V5.1.0.1, V5.1.0.2, V5.1.0.3, V5.1.0.4, V5.1.0.5, V5.1.0.6, V5.1.0.7, V5.1.0.8, V5.1.0.9, V5.1.0.10, V5.1.0.11, V5.1.0.12, V5.1.0.13, V5.1.0.14, V5.2.0, and V5.2.1\n\n| \n\nIBM WebSphere\u00ae Application Server\n\nV7.0, V8.0, V8.5, V9.0, and Liberty \n \nIBM\u00ae Intelligent Operations Center for Emergency Management\n\nV1.6, V5.1.0, V5.1.0.1, V5.1.0.2, V5.1.0.3, V5.1.0.4, V5.1.0.5, and V5.1.0.6\n\n| \n \nIBM\u00ae Water Operations for Waternamics\n\nV5.1, V5.2.0, V5.2.0.1, V5.2.0.2, V5.2.0.3, V5.2.0.4, V5.2.0.5, V5.2.0.6, V5.2.1, and V5.2.1.1\n\n| \n \n\n\n## Remediation/Fixes\n\nDownload the correct version of the fix from the following link: [Security Bulletin: Information disclosure vulnerability in WebSphere Application Server (CVE-2020-4329)](<https://www.ibm.com/support/pages/node/6201862> \"Security Bulletin: Information disclosure vulnerability in WebSphere Application Server \$CVE-2020-4329\$\" ). Installation instructions for the fix are included in the readme document that is in the fix package.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2020-05-05T16:57:36", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere\u00ae Application Server shipped with IBM\u00ae Intelligent Operations Center (CVE-2020-4329)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-4329"], "modified": "2020-05-05T16:57:36", "id": "5918C016B20B5ACA60A7D119FD2C32C94F0627AB911B7E60826658D357145A38", "href": "https://www.ibm.com/support/pages/node/6205936", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2023-02-27T17:46:04", "description": "## Summary\n\nInformation disclosure in WebSphere Application Server. This has been addressed. \n\n## Vulnerability Details\n\n** CVEID: **[CVE-2020-4329](<https://vulners.com/cve/CVE-2020-4329>) \n** DESCRIPTION: **IBM WebSphere Application Server could allow a remote, authenticated attacker to obtain sensitive information, caused by improper parameter checking. This could be exploited to conduct spoofing attacks. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/177841](<https://exchange.xforce.ibmcloud.com/vulnerabilities/177841>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nWebSphere Application Server Liberty| 17.0.0.3 - 20.0.0.4 \nWebSphere Application Server| 9.0 \nWebSphere Application Server| 7.0 \nWebSphere Application Server| 8.0 \nWebSphere Application Server| 8.5 \n \n\n\n## Remediation/Fixes\n\nThe recommended solution is to apply the interim fix, Fix Pack or PTF containing the APAR for each named product as soon as practical. **For WebSphere Application Server Liberty:**\n\n\u00b7 Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [PH20847](<https://www.ibm.com/support/pages/node/6198862> \"Fix PH20847\" ) \n\\--OR-- \n\u00b7 Apply Fix Pack 20.0.0.5 or later (targeted availability 2Q2020).\n\n**For WebSphere Application Server traditional and WebSphere Application Server Hypervisor Edition:**\n\n**For V9.0.0.0 through 9.0.5.3:** \n\u00b7 Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [PH20847](<https://www.ibm.com/support/pages/node/6198862> \"PH20847\" ). \n\\--OR-- \n\u00b7 Apply Fix Pack 9.0.5.4 or later (targeted availability 2Q2020). \n\n**For V8.5.0.0 through 8.5.5.17:** \n\u00b7 Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [PH20847](<https://www.ibm.com/support/pages/node/6198862> \"PH20847\" ). \n\\--OR-- \n\u00b7 Apply Fix Pack 8.5.5.18 or later (targeted availability 3Q2020).\n\n**For V8.0.0.0 through 8.0.0.15:** \n\u00b7 Upgrade to 8.0.0.15 and then apply Interim Fix [PH20847](<https://www.ibm.com/support/pages/node/6198862> \"PH20847\" ). \n\n\n**For V7.0.0.0 through 7.0.0.45:** \n\u00b7 Upgrade to 7.0.0.45 and then apply Interim Fix [PH20847](<https://www.ibm.com/support/pages/node/6198862> \"PH20847\" ). \n\n\nAdditional interim fixes may be available and linked off the interim fix download page.\n\n_WebSphere Application Server V7.0 and V8.0 are no longer in full support; IBM recommends upgrading to a fixed, supported version/release/platform of the product._\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2020-04-27T19:32:21", "type": "ibm", "title": "Security Bulletin: Information disclosure in WebSphere Application Server (CVE-2020-4329)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-4329"], "modified": "2020-04-27T19:32:21", "id": "F171D1A128ED9F033A8E4EB7F107F3B0F58ABA4074ACD771E59F004AAC676A0A", "href": "https://www.ibm.com/support/pages/node/6201862", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2023-02-27T21:53:33", "description": "## Summary\n\nWebsphere Application Server Liberty vulnerability CVE-2020-4329 affecting IBM Streams\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2020-4329](<https://vulners.com/cve/CVE-2020-4329>) \n** DESCRIPTION: **IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0 and Liberty 17.0.0.3 through 20.0.0.4 could allow a remote, authenticated attacker to obtain sensitive information, caused by improper parameter checking. This could be exploited to conduct spoofing attacks. IBM X-Force ID: 177841. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/177841](<https://exchange.xforce.ibmcloud.com/vulnerabilities/177841>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nInfoSphere Streams| 4.1.1.x \nInfoSphere Streams| 4.2.1.x \nInfoSphere Streams| 4.3.1.x \n \n\n\n## Remediation/Fixes\n\nVersion 4.x.x: Apply [4.3.1 Fix Pack 3 or higher](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%20Management&product=ibm/Information+Management/InfoSphere+Streams&release=4.3.1.2&platform=All&function=all> \"4.3.1 Fix Pack 3 or higher\" )\n\nVersions 3.2.x, 3.1.x, and 3.0.x: For versions earlier than 4.3.x, IBM recommends upgrading to a fixed, supported version/release/platform of the product. Customers who cannot upgrade and need to secure their installation should open a PMR with IBM Technical Support and request assistance securing their InfoSphere Streams system against the vulnerabilities identified in this Security Bulletin.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2020-07-22T21:15:30", "type": "ibm", "title": "Security Bulletin: Websphere Application Server Liberty vulnerabilities used by IBM Streams", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-4329"], "modified": "2020-07-22T21:15:30", "id": "AAB63CA611C91C086C2D2BC4EDEABC95ECFE557C5518B51036200FBBD8C29B34", "href": "https://www.ibm.com/support/pages/node/6252019", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2023-02-27T21:53:37", "description": "## Summary\n\nInformation disclosure in WebSphere Application Server. This has been addressed. \n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nJazz for Service Management| 1.1.3-1.1.3.7 \n \n\n\n## Remediation/Fixes\n\n**Principal Product and Version(s)**| **Affected Supporting Product and Version**| **Affected Supporting Product Security Bulletin** \n---|---|--- \nJazz for Service Management version 1.1.3 - 1.1.3.7| Websphere Application Server Full Profile 8.5.5 | [Security Bulletin: Information disclosure in WebSphere Application Server (CVE-2020-4329)](<https://www.ibm.com/support/pages/node/6201862> \"Security Bulletin: Information disclosure in WebSphere Application Server \$CVE-2020-4329\$\" ) \nJazz for Service Management version 1.1.3.7| \n\nWebsphere Application Server Full Profile 9.0\n\n| [Security Bulletin: Information disclosure in WebSphere Application Server (CVE-2020-4329)](<https://www.ibm.com/support/pages/node/6201862> \"Security Bulletin: Information disclosure in WebSphere Application Server \$CVE-2020-4329\$\" ) \n \n## Workarounds and Mitigations\n\nPlease refer to WAS interim fix.\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2020-07-21T15:57:58", "type": "ibm", "title": "Security Bulletin: WebSphere Application Server shipped with Jazz for Service Management (JazzSM) is vulnerable to CVE-2020-4329", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-4329"], "modified": "2020-07-21T15:57:58", "id": "6AF6A75AB47A85BD264ED489D020A601CD49E58065CEDF72F8DBC129C0B69CAB", "href": "https://www.ibm.com/support/pages/node/6251245", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2023-02-27T21:53:58", "description": "## Summary\n\nIBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0 and Liberty 17.0.0.3 through 20.0.0.4 could allow a remote, authenticated attacker to obtain sensitive information, caused by improper parameter checking. This could be exploited to conduct spoofing attacks. IBM X-Force ID: 177841.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2020-4329](<https://vulners.com/cve/CVE-2020-4329>) \n** DESCRIPTION: **IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0 and Liberty 17.0.0.3 through 20.0.0.4 could allow a remote, authenticated attacker to obtain sensitive information, caused by improper parameter checking. This could be exploited to conduct spoofing attacks. IBM X-Force ID: 177841. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/177841](<https://exchange.xforce.ibmcloud.com/vulnerabilities/177841>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Control Center| 6.1.3 \nIBM Control Center| 6.1.2.1 \nIBM Control Center| 6.0.0.2 \n \n\n\n## Remediation/Fixes\n\n**Product**\n\n| \n\n**VRMF**\n\n| \n\n**iFix**\n\n| \n\n**Remediation** \n \n---|---|---|--- \n \nIBM Control Center\n\n| \n\n6.1.3.0\n\n| \n\niFix02\n\n| \n\n[Fix Central - 6.1.3.0](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software&product=ibm/Other+software/Sterling+Control+Center&release=6.1.3.0&platform=All&function=all>) \n \nIBM Control Center\n\n| \n\n6.1.2.1\n\n| \n\niFix04\n\n| \n\n_[Fix Central - 6.1.2.1](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software&product=ibm/Other+software/Sterling+Control+Center&release=6.1.2.1&platform=All&function=all>)_ \n \nIBM Control Center\n\n| \n\n6.0.0.2\n\n| \n\niFix11\n\n| \n\n[Fix Central - 6.0.0.2](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software&product=ibm/Other+software/Sterling+Control+Center&release=6.0.0.2&platform=All&function=all>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2020-07-16T18:48:02", "type": "ibm", "title": "Security Bulletin: IBM WebSphere Application Server Vulnerability Affects IBM Control Center (CVE-2020-4329)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-4329"], "modified": "2020-07-16T18:48:02", "id": "65AC33072AF8ABBAA1E90D22A6164663D0FCF7967CC7051A7C6B601CEA97BF53", "href": "https://www.ibm.com/support/pages/node/6249991", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2023-02-27T21:54:14", "description": "## Summary\n\nAn Information disclosure related vulnerability has been found in IBM WebSphere Application Server - Liberty which is used by IBM License Key Server Administration & Reporting Tool (ART) and Administration Agent. The remediation has been included in the latest release of ART and Agent.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2020-4329](<https://vulners.com/cve/CVE-2020-4329>) \n** DESCRIPTION: **IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0 and Liberty 17.0.0.3 through 20.0.0.4 could allow a remote, authenticated attacker to obtain sensitive information, caused by improper parameter checking. This could be exploited to conduct spoofing attacks. IBM X-Force ID: 177841. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/177841](<https://exchange.xforce.ibmcloud.com/vulnerabilities/177841>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nART/Agent| 8.1.5 \nART/Agent| 8.1.5.1 \nART/Agent| 8.1.5.2 \nART/Agent| 8.1.5.3 \nART/Agent| 8.1.5.4 \nART/Agent| 8.1.5.5 \nART/Agent| 8.1.5.6 \nART/Agent| 8.1.6 \nART/Agent| 8.1.6.1 \nART/Agent| 8.1.6.2 \nART/Agent| 8.1.6.3 \nART/Agent| 8.1.6.4 \n \n\n\n## Remediation/Fixes\n\nUpgrade to the version 8.1.6.5 of ART and Agent. Refer [Release Notes 8.1.6.5](<https://www.ibm.com/support/pages/node/6202749> \"Release Notes 8.1.6.5\" ) for Download and Application Instructions.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2020-07-06T16:48:51", "type": "ibm", "title": "Security Bulletin: An Information Disclosure vulnerability in IBM Websphere Libtery affects IBM License Key Server Administration & Reporting Tool and Administration Agent", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-4329"], "modified": "2020-07-06T16:48:51", "id": "693658DCE0F371748D69D63EAD5B48AAC0350649F64CFEB925F5CA6BD3E2A97C", "href": "https://www.ibm.com/support/pages/node/6244170", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2023-02-27T21:54:17", "description": "## Summary\n\nRational Asset Analyzer (RAA) has addressed the following vulnerability in WebSphere Application Server.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2020-4329](<https://vulners.com/cve/CVE-2020-4329>) \n** DESCRIPTION: **IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0 and Liberty 17.0.0.3 through 20.0.0.4 could allow a remote, authenticated attacker to obtain sensitive information, caused by improper parameter checking. This could be exploited to conduct spoofing attacks. IBM X-Force ID: 177841. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/177841](<https://exchange.xforce.ibmcloud.com/vulnerabilities/177841>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)\n\n## Affected Products and Versions\n\n**Affected Product(s)**| **Version(s)** \n---|--- \nAsset Analyzer (RAA)| 6.1.0.0 - 6.1.0.23 \n \n \n\n\n## Remediation/Fixes\n\n**Product**| **VRMF**| **APAR**| **Remediation / First Fix** \n---|---|---|--- \nRational Asset Analyzer| 6.1.0.23 Refresh | NONE| [ RAA 6.1.0.23 Refresh for Windows](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ERational&product=ibm/Rational/IBM+Rational+Asset+Analyzer&release=6.1.0.23&platform=Windows&function=all> \"Windows\" )\n\n[ RAA 6.1.0.23 Refresh for z/OS](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ERational&product=ibm/Rational/IBM+Rational+Asset+Analyzer&release=6.1.0.23&platform=z/OS&function=all> \"z/OS\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2020-07-01T01:49:42", "type": "ibm", "title": "Security Bulletin: Asset Analyzer (RAA) is affected by a WebSphere Application Server vulnerability", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-4329"], "modified": "2020-07-01T01:49:42", "id": "6319DF1B256EC58709172407AF4A25DE3588354F1CDF0FE760752C81DC6DA075", "href": "https://www.ibm.com/support/pages/node/6242798", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2023-02-27T21:51:40", "description": "## Summary\n\nIBM MobileFirst Platform Foundation has addressed the following vulnerability: Information disclosure in WebSphere Application Server - Liberty\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2020-4329](<https://vulners.com/cve/CVE-2020-4329>) \n** DESCRIPTION: **IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0 and Liberty 17.0.0.3 through 20.0.0.4 could allow a remote, authenticated attacker to obtain sensitive information, caused by improper parameter checking. This could be exploited to conduct spoofing attacks. IBM X-Force ID: 177841. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/177841](<https://exchange.xforce.ibmcloud.com/vulnerabilities/177841>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM MobileFirst Platform Foundation| 8.0.0.0 - ICP, IKS or using the scripts (BYOL), OCP/ICPA \n \n\n\n## Remediation/Fixes\n\n**Product** | **VRMF**| **Remediation/First Fix** \n---|---|--- \nIBM MobileFirst Platform Foundation| 8.0.0.0| Download the iFix from [IBM MobileFirst Platform Foundation on FixCentral](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FIBM+MobileFirst+Platform+Foundation&fixids=8.0.0.0-MFPF-IF202008201003-CDUpdate-07&source=SAR>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2020-08-27T10:38:32", "type": "ibm", "title": "Security Bulletin: Information disclosure vulnerability in WebSphere Application Server - Liberty affects IBM MobileFirst Platform Foundation", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-4329"], "modified": "2020-08-27T10:38:32", "id": "717EA7B7E291CEAF2956470CE508AB38C2BF8E63133D28CF594496671ADDDEE9", "href": "https://www.ibm.com/support/pages/node/6323573", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2023-02-27T21:52:19", "description": "## Summary\n\nIBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0 and Liberty 17.0.0.3 through 20.0.0.4 could allow a remote, authenticated attacker to obtain sensitive information, caused by improper parameter checking. This could be exploited to conduct spoofing attacks. IBM X-Force ID: 177841.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2020-4329](<https://vulners.com/cve/CVE-2020-4329>) \n** DESCRIPTION: **IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0 and Liberty 17.0.0.3 through 20.0.0.4 could allow a remote, authenticated attacker to obtain sensitive information, caused by improper parameter checking. This could be exploited to conduct spoofing attacks. IBM X-Force ID: 177841. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/177841](<https://exchange.xforce.ibmcloud.com/vulnerabilities/177841>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nContent Collector for Email| 4.0.1 \n \n\n\n## Remediation/Fixes\n\n**Product**| **VRM**| **Remediation** \n---|---|--- \nContent Collector for Email| 4.0.1| Use Content Collector for Email 4.0.1.9 [Interim Fix IF006](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.9-IBM-ICC-IF006&source=SAR>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2020-08-06T16:49:03", "type": "ibm", "title": "Security Bulletin: Content Collector for Email is affected by a Information disclosure in embedded WebSphere Application Server", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-4329"], "modified": "2020-08-06T16:49:03", "id": "89289E9A98285CD79B0D3F1F025DD0EAA5E6629F7ADF333B9EF34FE380BACA0A", "href": "https://www.ibm.com/support/pages/node/6257127", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2023-02-27T21:52:23", "description": "## Summary\n\nA vulnerability has been found within the version of IBM WebSphere Liberty shipped with IBM MQ.\n\n## Vulnerability Details\n\n**CVEID: **[CVE-2020-4329](<https://vulners.com/cve/CVE-2020-4329>) \n**DESCRIPTION: **IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0 and Liberty 17.0.0.3 through 20.0.0.4 could allow a remote, authenticated attacker to obtain sensitive information, caused by improper parameter checking. This could be exploited to conduct spoofing attacks. IBM X-Force ID: 177841. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/177841](<https://exchange.xforce.ibmcloud.com/vulnerabilities/177841>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s) | Version(s) \n---|--- \nIBM MQ | 9.1 LTS \nIBM MQ | 9.1 CD \n \n## Remediation/Fixes\n\n**IBM MQ 9.1 LTS**\n\n[Apply Fixpack 9.1.0.6](<https://www.ibm.com/support/pages/downloading-ibm-mq-version-9106> \"Apply Fixpack 9.1.0.6\" )\n\n**IBM MQ 9.1 CD**\n\n[Upgrade to IBM MQ 9.2](<https://www.ibm.com/support/pages/downloading-ibm-mq-version-920> \"Upgrade to IBM MQ 9.2\" )\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2020-08-05T10:18:55", "type": "ibm", "title": "Security Bulletin: IBM MQ is affected by a vulnerability within IBM WebSphere Liberty (CVE-2020-4329)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-4329"], "modified": "2020-08-05T10:18:55", "id": "DABA7DED974B2398189D6CD437940649E019A14178C8AB32F290EB35C8669636", "href": "https://www.ibm.com/support/pages/node/6255994", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2023-02-27T21:44:36", "description": "## Summary\n\nThere is a vulnerability in WebSphere Application Server Liberty that is used by IBM InfoSphere Information Server.\n\n## Vulnerability Details\n\n**CVEID: **[CVE-2020-4329](<https://vulners.com/cve/CVE-2020-4329>) \n**DESCRIPTION: **IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0 and Liberty 17.0.0.3 through 20.0.0.4 could allow a remote, authenticated attacker to obtain sensitive information, caused by improper parameter checking. This could be exploited to conduct spoofing attacks. IBM X-Force ID: 177841. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/177841](<https://exchange.xforce.ibmcloud.com/vulnerabilities/177841>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s) | Version(s) \n---|--- \nInfoSphere Information Server with a Microservices tier | 11.7 \n \n## Remediation/Fixes\n\n## \n\n_Product_ | _VRMF_ | \n\n_APAR_\n\n| \n\n_Remediation/First Fix_ \n \n---|---|---|--- \n \nInfoSphere Information Server, Information Server on Cloud\n\n| \n\n11.7\n\n| \n\n[JR63314](<http://www.ibm.com/support/docview.wss?uid=swg1JR63314> \"JR63314\" )\n\n| \n\n\\--Apply InfoSphere Information Server version [11.7.1.0](<https://www.ibm.com/support/docview.wss?uid=ibm10878310> \"11.7.1.0\" ) \n\\--Apply Information Server [11.7.1.1](<https://www.ibm.com/support/pages/node/6209196> \"11.7.1.1\" ) \n\\--Apply Information Server [11.7.1.1 Service Pack 1](<https://www.ibm.com/support/pages/node/6438057> \"11.7.1.1 Service Pack 1???\" ) \n \nFor Red Hat 8 installations, contact IBM Customer Support. \n \n**Note**: Users of WebSphere Application Server Network Deployment should follow the [WebSphere security bulletin](<https://www.ibm.com/support/pages/node/6201862> \"WebSphere security bulletin\" ) \n \n**Contact Technical Support:**\n\nIn the United States and Canada dial **1-800-IBM-SERV** \nView the support [contacts for other countries](<http://www.ibm.com/planetwide/> \"contacts for other countries\" ) outside of the United States. \nElectronically [open a Service Request](<http://www.ibm.com/software/support/probsub.html> \"open a Service Request\" ) with Information Server Technical Support.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2021-04-01T19:45:30", "type": "ibm", "title": "Security Bulletin: A vulnerability in WebSphere Application Server Liberty affects IBM InfoSphere Information Server", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-4329"], "modified": "2021-04-01T19:45:30", "id": "43DA011A37CE03FA64B094E9F5770A93BEF6CF43E03F703E6569EEA76986A4F8", "href": "https://www.ibm.com/support/pages/node/6436379", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2023-02-27T21:51:49", "description": "## Summary\n\nTXSeries for Multiplatforms has addressed the following vulnerabilities reported by IBM\u00ae WebSphere Application Server liberty \n\n## Vulnerability Details\n\n** CVEID: **[CVE-2020-4329](<https://vulners.com/cve/CVE-2020-4329>) \n** DESCRIPTION: **IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0 and Liberty 17.0.0.3 through 20.0.0.4 could allow a remote, authenticated attacker to obtain sensitive information, caused by improper parameter checking. This could be exploited to conduct spoofing attacks. IBM X-Force ID: 177841. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/177841](<https://exchange.xforce.ibmcloud.com/vulnerabilities/177841>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM TXSeries for Multiplatforms| 8.2.0.0 - 8.2.0.2 \nIBM TXSeries for Multiplatforms| 9.1.0.0 - 9.1.0.1 \n \n\n\n## Remediation/Fixes\n\nProduct| Version| Defect| Remediation / First Fix \n---|---|---|--- \nIBM TXSeries for Multiplatforms v9.1| \n\n9.1.0.0\n\n9.1.0.1\n\n| 126343| [Fix Central Link](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FWebSphere%2FTXSeries+for+Multiplatforms&fixids=TXSeries_9.1_SpecialFix_liberty_082020&source=SAR>) \nIBM TXSeries for Multiplatforms v8.2| \n\n8.2.0.0\n\n8.2.0.1\n\n8.2.0.2\n\n| 126343| [Fix Central Link](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FWebSphere%2FTXSeries+for+Multiplatforms&fixids=TXSeries_8.2_SpecialFix_liberty_082020&source=SAR>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2020-08-24T11:38:08", "type": "ibm", "title": "Security Bulletin: WebSphere Application Server is vulnerable to information disclosure that affects TXSeries for Multiplatforms", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-4329"], "modified": "2020-08-24T11:38:08", "id": "3145AF0C5406567F174CE24AB15ECCCBF1EDAC271CA314F0505020DA0354DFD8", "href": "https://www.ibm.com/support/pages/node/6320845", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2023-02-27T17:43:49", "description": "## Summary\n\nWebSphere Application Server security vulnerability in FileNet Content Manager\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2020-4329](<https://vulners.com/cve/CVE-2020-4329>) \n** DESCRIPTION: **IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0 and Liberty 17.0.0.3 through 20.0.0.4 could allow a remote, authenticated attacker to obtain sensitive information, caused by improper parameter checking. This could be exploited to conduct spoofing attacks. IBM X-Force ID: 177841. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/177841](<https://exchange.xforce.ibmcloud.com/vulnerabilities/177841>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nFileNet Content Manager| 5.5.3 \nFileNet Content Manager| 5.5.4 \n \n## Remediation/Fixes\n\nUpgrade to one of the below releases: \n \n\n\n** Product**| ** VRMF**| ** APAR**| ** Remediation/First Fix** \n---|---|---|--- \nFileNet Content Manager| 5.5.3 \n5.5.4| [PJ46150](<https://www.ibm.com/support/pages/apar/PJ46150> \"PJ46150\" ) \n[PJ46150](<https://www.ibm.com/support/pages/apar/PJ46150> \"PJ46150\" )| 5.5.3.0-P8CPE-Container-IF003 - 7/16/2020 \n5.5.4.0-P8CPE-Container-IF002 - 7/21/2020 \n \nOnly versions covered by continuous support for fixes are listed. Please apply the listed update to remediate.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2020-11-10T22:46:04", "type": "ibm", "title": "Security Bulletin: WebSphere Application Server security vulnerability in FileNet Content Manager", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-4329"], "modified": "2020-11-10T22:46:04", "id": "44F8F51D369D3F744AF193AB2E497189282F22F94B8B3424EA2B099B5580CD94", "href": "https://www.ibm.com/support/pages/node/6209707", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2023-02-27T17:45:58", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of Business Monitor. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nPrincipal product and version| Affected product and version \n---|--- \nBusiness Monitor V8.5.7| WebSphere Application Server V8.5.5 \nBusiness Monitor V8.5.6| WebSphere Application Server V8.5.5 \nBusiness Monitor V8.5.5| WebSphere Application Server V8.5.5 \n \n \n\n\n## Remediation/Fixes\n\nPlease consult the security bulletin [Security Bulletin: Information disclosure in WebSphere Application Server (CVE-2020-4329)](<https://www.ibm.com/support/pages/node/6201862> \"Security Bulletin: Information disclosure in WebSphere Application Server \$CVE-2020-4329\$\" ) vulnerability details and information about fixes.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2020-04-29T15:16:12", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Business Monitor (CVE-2020-4329)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-4329"], "modified": "2020-04-29T15:16:12", "id": "89889D01EFEB2906CEB101B24500260E255984420DF03BB57D83997D812CEE0A", "href": "https://www.ibm.com/support/pages/node/6202780", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2023-02-27T21:54:53", "description": "## Summary\n\nIn the WebSphere Application Server Admin console where the Rational Asset Manager is deployed, a privilege escalation vulnerability is observed. Information about this security vulnerability affecting WebSphere Application Server is published in the respective security bulletins.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nIBM Rational Asset Manager 7.5 .1, 7.5.2.x, 7.5.3.x, and 7.5.4.\n\nNOTE: Rational Asset Manager 7.5.2 and later versions does not support embedded WebSphere Application Server.\n\n## Remediation/Fixes\n\nRefer to the following security bulletin for vulnerability details and information about fixes addressed by IBM WebSphere Application Server (WAS). **Affected Supporting Product** | **Affected Supporting Product Security Bulletin** \n---|--- \nIBM WebSphere Application Server Version 7.0, 8.0, 8.5, and 9.0. | [Security Bulletin: Information disclosure in WebSphere Application Server (CVE-2020-4329)](<https://www.ibm.com/support/pages/node/6201862> \"Security Bulletin: Information disclosure in WebSphere Application Server \$CVE-2020-4329\$\" ). \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2020-06-13T08:49:30", "type": "ibm", "title": "Security Bulletin: Security vulnerability is identified in the WebSphere Application Server where the Rational Asset Manager is deployed", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-4329"], "modified": "2020-06-13T08:49:30", "id": "451F72C42C9FA5B3638C6F2233F910FC635FE2A09DB2B0F71474AE8603F61D92", "href": "https://www.ibm.com/support/pages/node/6230750", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2023-02-27T17:46:00", "description": "## Summary\n\nWebSphere Application Server is shipped with WebSphere Remote Server. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\n**Affected Product(s)**| **Version(s)** \n---|--- \nIBM WebSphere Remote Server - Product Family| All \n \n\n\n## Remediation/Fixes\n\nRefer to the following security bulletins for vulnerability details and information about fixes addressed by WebSphere Application Server which is shipped with WebSphere Remote Server. \n \n\n\n** Principal Product and Version(s)**| ** Affected Supporting Product and Version**| ** Affected Supporting Product Security Bulletin** \n---|---|--- \nWebSphere Remote Server \n9.0, 8.5, 7.1, 7.0| WebSphere Application Server 9.0, 8.5, 8.0, 7.0| | \n\n[Information disclosure in WebSphere Application Server (CVE-2020-4329)](<https://www.ibm.com/support/pages/node/6201862>) \n \n--- \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2020-04-29T20:57:17", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with WebSphere Remote Server (CVE-2020-4329)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-4329"], "modified": "2020-04-29T20:57:17", "id": "86D81D4FF071D7D46BB506C67EA7CE93C082F0DB66B01AA7474850EEE2C3CBD5", "href": "https://www.ibm.com/support/pages/node/6203134", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2023-02-27T21:52:26", "description": "## Summary\n\nInformation disclosure in WebSphere Application Server. This has been addressed.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2020-4329](<https://vulners.com/cve/CVE-2020-4329>) \n** DESCRIPTION: **IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0 and Liberty 17.0.0.3 through 20.0.0.4 could allow a remote, authenticated attacker to obtain sensitive information, caused by improper parameter checking. This could be exploited to conduct spoofing attacks. IBM X-Force ID: 177841. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/177841](<https://exchange.xforce.ibmcloud.com/vulnerabilities/177841>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nICP - Compare & Comply| All \n \n## Remediation/Fixes\n\nUpgrade to IBM Watson Compare and Comply for IBM Cloud Pak for Data 1.1.9. To download the software, go to Passport Advantage, then search for \"watson compare and comply for ICP for Data\", then select IBM Watson Compare and Comply for ICP for Data V1.1.9 Linux English , part number CC7JSEN.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2020-08-04T18:21:58", "type": "ibm", "title": "Security Bulletin: Information disclosure in WebSphere Application Server - Liberty", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-4329"], "modified": "2020-08-04T18:21:58", "id": "9BB137A2C15EDDA2FAD8099BF31EC43072DCB5CFA903CDC8CF3248DC677FE923", "href": "https://www.ibm.com/support/pages/node/6256110", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2023-02-27T21:51:37", "description": "## Summary\n\nInformation disclosure in WebSphere Application Server. This has been addressed. \n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nTivoli Common Reporting| 3.1.2 - 3.1.2.1 \n \n\n\n## Remediation/Fixes\n\nThe recommended solution is to apply the fix for versions listed as soon as practical. \n\n**Jazz for Service Management Releases \n**| **Remediation** \n---|--- \n1.1.2 - 1.1.2.1| \n\n[Security Bulletin: Information disclosure in WebSphere Application Server (CVE-2020-4329)](<https://www.ibm.com/support/pages/node/6201862> \"Security Bulletin: Information disclosure in WebSphere Application Server \$CVE-2020-4329\$\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2020-08-28T14:18:23", "type": "ibm", "title": "Security Bulletin: IBM Tivoli Common Reporting: TCR, a part of IBM Jazz for Service Management (JazzSM) is vulnerable to Information disclosure (CVE-2020-4329)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-4329"], "modified": "2020-08-28T14:18:23", "id": "A801C0134AF3AE69F120F9758CA8985C815F0984281741FDA5A847A1ACC66AFF", "href": "https://www.ibm.com/support/pages/node/6324179", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2023-02-27T21:51:55", "description": "## Summary\n\nIBM Cloud Private is vulnerable to an IBM WebSphere Application Server Liberty vulnerability\n\n## Vulnerability Details\n\n**CVEID: **[CVE-2020-4329](<https://vulners.com/cve/CVE-2020-4329>) \n**DESCRIPTION: **IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0 and Liberty 17.0.0.3 through 20.0.0.4 could allow a remote, authenticated attacker to obtain sensitive information, caused by improper parameter checking. This could be exploited to conduct spoofing attacks. IBM X-Force ID: 177841. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/177841](<https://exchange.xforce.ibmcloud.com/vulnerabilities/177841>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s) | Version(s) \n---|--- \nIBM Cloud Private | 3.2.1 CD \nIBM Cloud Private | 3.2.2 CD \n \n## Remediation/Fixes\n\nProduct defect fixes and security updates are only available for the two most recent Continuous Delivery (CD) update packages \n\n * IBM Cloud Private 3.2.1\n * IBM Cloud Private 3.2.2\n\nFor IBM Cloud Private 3.2.1, apply June fix pack:\n\n * [IBM Cloud Private 3.2.1.2006](<http://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/WebSphere/IBM+Cloud+Private&release=All&platform=All&function=fixId&fixids=icp-3.2.1.2006-build555335-37920&includeSupersedes=0> \"IBM Cloud Private 3.2.1.2006\" )\n\nFor IBM Cloud Private 3.2.2, apply June fix pack:\n\n * [IBM Cloud Private 3.2.2.2006](<http://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/WebSphere/IBM+Cloud+Private&release=All&platform=All&function=fixId&fixids=icp-3.2.2.2006-build553613-35974&includeSupersedes=0> \"IBM Cloud Private 3.2.2.2006\" )\n\nFor IBM Cloud Private 3.1.0, 3.1.1, 3.1.2, 3.2.0:\n\n * Upgrade to the latest Continuous Delivery (CD) update package, IBM Cloud Private 3.2.2. \n * If required, individual product fixes can be made available between CD update packages for resolution of problems. Contact IBM support for assistance\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2020-08-19T19:03:54", "type": "ibm", "title": "Security Bulletin: IBM Cloud Private is vulnerable to an IBM WebSphere Application Server Liberty vulnerability (CVE-2020-4329)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-4329"], "modified": "2020-08-19T19:03:54", "id": "EF0B8ABDDF0182AD0AB63DBD4F3EA0B3769B57CF195F94A299C8DFE53DDE410A", "href": "https://www.ibm.com/support/pages/node/6261601", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2023-02-27T21:47:08", "description": "## Summary\n\nA vulnerability IBM WebSphere Application Server Liberty could allow an attacker to obtain sensitive information. This vulnerability may affect the IBM Spectrum Protect Backup-Archive Client web user interface, IBM Spectrum Protect for Space Management, and IBM Spectrum Protect for Virtual Environments. UPDATED 1/29/2021: Added 7.1 fix for IBM Spectrum Protect for Virtual Environments: Data Protection for VMware\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2020-4329](<https://vulners.com/cve/CVE-2020-4329>) \n** DESCRIPTION: **IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0 and Liberty 17.0.0.3 through 20.0.0.4 could allow a remote, authenticated attacker to obtain sensitive information, caused by improper parameter checking. This could be exploited to conduct spoofing attacks. IBM X-Force ID: 177841. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/177841](<https://exchange.xforce.ibmcloud.com/vulnerabilities/177841>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)\n\n## Affected Products and Versions\n\n**Affected Product(s)**| Version(s) \n---|--- \nIBM Spectrum Protect Backup-Archive web user interface| 8.1.7.0-8.1.10.0 (Linux and Windows) \n8.1.9.0-8.1.10.0 (AIX) \nIBM Spectrum Protect for Space Management| 8.1.7.0-8.1.10.0 (Linux) \n8.1.9.0-8.1.10.0 (AIX) \nIBM Spectrum Protect for Virtual Environments: Data Protection for VMware| \n\n8.1.0.0-8.1.10.0 \n7.1.0.0-7.1.8.9 \n \n \nIBM Spectrum Protect (for Virtual Environments: Data Protection for Hyper-V| 8.1.4.0-8.1.10.0 \n \n## Remediation/Fixes\n\n \n\n\n \n\n\n**_IBM Spectrum Protect Backup-Archive Client web user interface Release_**| **_First Fixing \nVRM Level_**| **_Platform_**| **_Link to Fix_** \n---|---|---|--- \n8.1| 8.1.11| AIX \nLinux \nWindows| <https://www.ibm.com/support/pages/node/6367205> \n \n \n\n\n**_IBM Spectrum Protect for Space Management Release_**| **_First Fixing \nVRM Level_**| **_Platform_**| **_Link to Fix_** \n---|---|---|--- \n8.1| 8.1.1.11| AIX \nLinux| <https://www.ibm.com/support/pages/node/6335741> \n \n \n\n\n**_IBM Spectrum Protect for Virtual Environments: Data Protection for VMware Release_**| **_First Fixing \nVRM Level_**| **_Platform_**| **_Link to Fix_** \n---|---|---|--- \n8.1| 8.1.11| Linux \nWindows| <https://www.ibm.com/support/pages/node/6152475> \n7.1 \n| 7.1.8.10 \n| Linux \nWindows \n| <https://www.ibm.com/support/pages/node/316625> \n \n \n\n\n \n\n\n**_IBM Spectrum Protect for Virtual Environments: Data Protection for Hyper-V Release_**| **_First Fixing \nVRM Level_**| **_Platform_**| **_Link to Fix_** \n---|---|---|--- \n8.1| 8.1.11| Linux| <https://www.ibm.com/support/pages/node/6152475> \n \n \n\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2021-01-29T18:29:02", "type": "ibm", "title": "Security Bulletin: Vulnerability in IBM WebSphere Application Server Liberty affects IBM Spectrum Protect Backup-Archive Client web user interface, IBM Spectrum Protect for Space Management, and IBM Spectrum Protect for Virtual Environments", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-4329"], "modified": "2021-01-29T18:29:02", "id": "9548F3BD922C19C55E9391D4BACA8EA98682FB5BCA396DD8812365F4C30867A0", "href": "https://www.ibm.com/support/pages/node/6371650", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2023-02-27T21:48:07", "description": "## Summary\n\nThis security bulletin addresses the Information Disclosure vulnerability that has been found to impact Websphere Liberty in IBM Tivoli Application Dependency Discovery Manager.\n\n## Vulnerability Details\n\n**CVEID: **[CVE-2020-4329](<https://vulners.com/cve/CVE-2020-4329>) \n**DESCRIPTION: **IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0 and Liberty 17.0.0.3 through 20.0.0.4 could allow a remote, authenticated attacker to obtain sensitive information, caused by improper parameter checking. This could be exploited to conduct spoofing attacks. IBM X-Force ID: 177841. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/177841](<https://exchange.xforce.ibmcloud.com/vulnerabilities/177841>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s) | Version(s) \n---|--- \nIBM Tivoli Application Dependency Discovery Manager | 7.3.0.3 - 7.3.0.7 \n \n## Remediation/Fixes\n\n**Fix** | **VRMF** | **APAR** | **How to acquire fix** \n---|---|---|--- \nefix_WLP_PSIRT_20005_FP5180802.zip | 7.3.0.5 | None | [Download eFix](<https://www.secure.ecurep.ibm.com/download/?id=d1xntIrCriyAnaSvBTMF4edOlDCjcFaOLTM4ccUmbjw> \"Download eFix\" ) \nefix_WLP_PSIRT_20005_FP6190313.zip | 7.3.0.6 | None | [Download eFix](<https://www.secure.ecurep.ibm.com/download/?id=X2UV7nmubFsybnKno7kO7Vuw1UKhecloR5Ifufbw3WM> \"Download eFix\" ) \nefix_WLP_PSIRT_20005_FP7200218.zip | 7.3.0.7 | None | [Download eFix](<https://www.secure.ecurep.ibm.com/download/?id=lzxrgrP31963huJnNPxu2RgIpIe5S4oyalEFJAi60PA> \"Download eFix\" ) \n \n**Note:**\n\nBefore TADDM 7.3.0.5, Java 7 was used and the upgraded Liberty version 20.0.0.5 requires Java8. Hence, no eFix can be provided for versions before 7.3.0.5.\n\n## Workarounds and Mitigations\n\nFor customers on TADDM FixPack 3 or FixPack 4, recommendation is to upgrade to a later version and then follow the steps mentioned above.\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2020-12-15T11:49:56", "type": "ibm", "title": "Security Bulletin: Information disclosure vulnerability in WebSphere Application Server Liberty", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-4329"], "modified": "2020-12-15T11:49:56", "id": "51C64898345F327DD93881C52DC0BCDB22915CDD412C72A65BE394B7A650FE83", "href": "https://www.ibm.com/support/pages/node/6262861", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2023-02-27T21:54:17", "description": "## Summary\n\nRational Asset Analyzer (RAA) has addressed the following vulnerability in WebSphere Application Server.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2020-4329](<https://vulners.com/cve/CVE-2020-4329>) \n** DESCRIPTION: **IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0 and Liberty 17.0.0.3 through 20.0.0.4 could allow a remote, authenticated attacker to obtain sensitive information, caused by improper parameter checking. This could be exploited to conduct spoofing attacks. IBM X-Force ID: 177841. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/177841](<https://exchange.xforce.ibmcloud.com/vulnerabilities/177841>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)\n\n## Affected Products and Versions\n\n**Affected Product(s)**| **Version(s)** \n---|--- \nAsset Analyzer (RAA)| 6.1.0.0 - 6.1.0.23 \n \n \n\n\n## Remediation/Fixes\n\n**Product**| **VRMF**| **APAR**| **Remediation / First Fix** \n---|---|---|--- \nRational Asset Analyzer| 6.1.0.23 Refresh | NONE| \n\n[ RAA 6.1.0.23 Refresh for Windows](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ERational&product=ibm/Rational/IBM+Rational+Asset+Analyzer&release=6.1.0.23&platform=Windows&function=all> \"Windows\" )\n\n[ RAA 6.1.0.23 Refresh for z/OS](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ERational&product=ibm/Rational/IBM+Rational+Asset+Analyzer&release=6.1.0.23&platform=z/OS&function=all> \"z/OS\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2020-07-01T01:48:39", "type": "ibm", "title": "Security Bulletin: Asset Analyzer (RAA) is affected by a WebSphere Application Server vulnerability", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-4329"], "modified": "2020-07-01T01:48:39", "id": "889AEF340E86A1FF8AE75CD323791BF93186173C5DCEC257F97767066CFAFD1D", "href": "https://www.ibm.com/support/pages/node/6242794", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2023-02-27T21:51:32", "description": "## Summary\n\nIBM Security Identity Manager Virtual Appliance (ISIM VA) has addressed the following vulnerability due to a remote attacker's ability to execute arbitrary code on the system.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2020-4329](<https://vulners.com/cve/CVE-2020-4329>) \n** DESCRIPTION: **IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0 and Liberty 17.0.0.3 through 20.0.0.4 could allow a remote, authenticated attacker to obtain sensitive information, caused by improper parameter checking. This could be exploited to conduct spoofing attacks. IBM X-Force ID: 177841. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/177841](<https://exchange.xforce.ibmcloud.com/vulnerabilities/177841>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Security Identity Manager Virtual Appliance| 7.0.2 \nIBM Security Identity Manager Virtual Appliance| 7.0.1 \n \n## Remediation/Fixes\n\nAffected Product(s)| Version(s)| Fix Availability \n---|---|--- \nIBM Security Identity Manager Virtual Appliance| 7.0.2| \n\n[7.0.2-ISS-SIM-FP0002](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FTivoli+Identity+Manager&fixids=7.0.2-ISS-SIM-FP0002&source=SARASA> \"7.0.2-ISS-SIM-FP0002\" ) \n \nIBM Security Identity Manager Virtual Appliance| 7.0.1| \n\n[7.0.1-ISS-SIM-FP0014](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FTivoli+Identity+Manager&fixids=7.0.1-ISS-SIM-FP0014&source=SAR> \"7.0.1-ISS-SIM-FP0014\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2020-08-29T21:32:29", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been fixed in IBM Security Identity Manager Virtual Appliance(CVE-2020-4329)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-4329"], "modified": "2020-08-29T21:32:29", "id": "80F63C4DBA4692F1399B8419C02ECEE29E4B32D85EDDE77D136EB81CBB859B9C", "href": "https://www.ibm.com/support/pages/node/6242354", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2023-02-27T21:51:18", "description": "## Summary\n\nInformation disclosure in WebSphere Application Server. This has been addressed. \n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Tivoli Common Reporting| 3.1.3 \n \n\n\n## Remediation/Fixes\n\nThe recommended solution is to apply the fix for versions listed as soon as practical. \n\n**Jazz for Service Management Releases \n**| **Remediation** \n---|--- \n1.1.3 - 1.1.3.7| \n\n[Security Bulletin: Information disclosure in WebSphere Application Server (CVE-2020-4329)](<https://www.ibm.com/support/pages/node/6201862> \"Security Bulletin: Information disclosure in WebSphere Application Server \$CVE-2020-4329\$\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2020-09-03T16:49:26", "type": "ibm", "title": "Security Bulletin: IBM Tivoli Common Reporting: TCR, a part of IBM Jazz for Service Management (JazzSM) is vulnerable to Information disclosure (CVE-2020-4329)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-4329"], "modified": "2020-09-03T16:49:26", "id": "0DD7AF43DE97763E0D93D1D019F9D4F482815C909438E3FDD9E285D6B2ED40B7", "href": "https://www.ibm.com/support/pages/node/6326539", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2023-02-27T17:45:59", "description": "## Summary\n\nWebSphere Application Server is shipped as a component of WebSphere Service Registry and Repository. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**| **Affected Supporting Product and Version(s)** \n---|--- \nWebSphere Service Registry and Repository V8.5| WebSphere Application Server V8.5.5 \nWebSphere Service Registry and Repository V8.0| WebSphere Application Server V8.0 \n \n\n\n## Remediation/Fixes\n\nRefer to the following security bulletin for vulnerability details and information about fixes: \n\n * [Security Bulletin: Information disclosure in WebSphere Application Server (CVE-2020-4329)](<https://www.ibm.com/support/pages/security-bulletin-information-disclosure-websphere-application-server-cve-2020-4329> \"Security Bulletin: Information disclosure in WebSphere Application Server \$CVE-2020-4329\$\" )\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2020-04-30T14:37:38", "type": "ibm", "title": "Security Bulletin: Security vulnerability has been identified in WebSphere Application Server shipped with WebSphere Service Registry and Repository (CVE-2020-4329)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-4329"], "modified": "2020-04-30T14:37:38", "id": "845034F004D5E87FCBDDBF4DF19CBEEE3865967F212423D2B39A2634A34BBB84", "href": "https://www.ibm.com/support/pages/node/6203924", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2023-02-27T17:45:30", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of Maximo Asset Management, Maximo Asset Management Essentials, Maximo Industry Solutions (including Maximo for Energy Optimization, Maximo for Government, Maximo for Nuclear Power, Maximo for Transportation, Maximo for Life Sciences, Maximo for Oil and Gas, and Maximo for Utilities), Maximo Adapter for Primavera, SmartCloud Control Desk, Tivoli Asset Management for IT, Tivoli Service Request Manager, Change and Configuration Management Database, and TRIRIGA Energy Optimization. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \n \nMaximo Asset Management 7.6 \nMaximo for Life Sciences 7.6 \nMaximo for Transportation 7.6 \nMaximo for Oil and Gas 7.6 \nMaximo for Utilities 7.6 \nMaximo for Aviation 7.6 \nMaximo Linear Asset Manager 7.6 \nMaximo for Service Providers 7.6 \nMaximo Asset Health Insights 7.6 \nControl Desk 7.6\n\n| IBM WebSphere Application Server 9.0 \nIBM WebSphere Application Server 8.5.5 Full Profile \nIBM WebSphere Application Server 8.5 Full Profile \n \n## Remediation/Fixes\n\n[Security Bulletin: Information disclosure in WebSphere Application Server (CVE-2020-4329)](<https://www.ibm.com/support/pages/node/6201862> \"Security Bulletin: Information disclosure in WebSphere Application Server \$CVE-2020-4329\$\" )\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2020-05-28T21:15:49", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with Asset and Service Management (CVE-2020-4329)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-4329"], "modified": "2020-05-28T21:15:49", "id": "A1EFACF2069DC3D9306569DB75291E800141DD6232DEB3E7928DC96CA216C1CC", "href": "https://www.ibm.com/support/pages/node/6205702", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2023-06-05T17:43:35", "description": "## Summary\n\nAn information disclosure in WebSphere Application Server - Liberty Medium CVE-2020-4329 has been fixed in WebSphere Application Server Liberty 20.0.0.5, included in ICP Watson_Text_to_Speech and Speech to Text v1.1.2 (GA: 6/19/20). \n\n## Vulnerability Details\n\n** CVEID: **[CVE-2020-4329](<https://vulners.com/cve/CVE-2020-4329>) \n** DESCRIPTION: **IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0 and Liberty 17.0.0.3 through 20.0.0.4 could allow a remote, authenticated attacker to obtain sensitive information, caused by improper parameter checking. This could be exploited to conduct spoofing attacks. IBM X-Force ID: 177841. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/177841](<https://exchange.xforce.ibmcloud.com/vulnerabilities/177841>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Watson Speech to Text, Text to Speech| 1.0.1 - 1.1 \n \n\n\n## Remediation/Fixes\n\nAn information disclosure in WebSphere Application Server - Liberty Medium CVE-2020-4329 has been fixed in WebSphere Application Server Liberty 20.0.0.5, included in ICP Watson_Text_to_Speech and Speech to Text v1.1.2 (GA: 6/19/20). Please download and install the latest version to receive this fix.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2023-01-12T21:59:00", "type": "ibm", "title": "Security Bulletin: Speech to Text, Text to Speech ICP, WebSphere Application Server Liberty Fix", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-4329"], "modified": "2023-01-12T21:59:00", "id": "6460D41996E43CB75276902519E15745959E2FFD675E2119EAA294B305A37593", "href": "https://www.ibm.com/support/pages/node/6238332", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2023-06-05T17:47:51", "description": "## Summary\n\nThere is an information disclosure in WebSphere Application Server Liberty.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2020-4329](<https://vulners.com/cve/CVE-2020-4329>) \n** DESCRIPTION: **IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0 and Liberty 17.0.0.3 through 20.0.0.4 could allow a remote, authenticated attacker to obtain sensitive information, caused by improper parameter checking. This could be exploited to conduct spoofing attacks. IBM X-Force ID: 177841. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/177841](<https://exchange.xforce.ibmcloud.com/vulnerabilities/177841>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nLiberty for Java| 3.44 \n \n\n\n## Remediation/Fixes\n\nTo upgrade to Liberty for Java 3.45-20200601-1056 or higher, you must re-stage or re-push your application \n\nTo find the current version of Liberty for Java in IBM Cloud being used, from the command-line Cloud Foundry client by running the following commands:\n\ncf ssh <appname> -c cat \"staging_info.yml\"\n\nLook for the following lines:\n\n{\"detected_buildpack\":\"Liberty for Java(TM) (WAR, liberty-19.0.0_9, buildpack-v3.44-20200430-1451, ibmjdk-1.8.0_sr5fp41-20190919, env)\",\"start_command\":\".liberty/initial_startup.rb\"}\n\nTo re-stage your application using the command-line Cloud Foundry client, use the following command:\n\ncf restage <appname>\n\nTo re-push your application using the command-line Cloud Foundry client, use the following command:\n\ncf push <appname>\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2022-10-07T16:01:56", "type": "ibm", "title": "Security Bulletin: There is an information disclosure vulnerability in Liberty for Java (CVE-2020-4329)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-4329"], "modified": "2022-10-07T16:01:56", "id": "24C171D2EBFBD69CF6AEEFB17FADCB6350B347E61036097EF3A9343C6459084D", "href": "https://www.ibm.com/support/pages/node/6220570", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2023-06-05T17:55:14", "description": "## Summary\n\nIBM Sterling B2B Integrator had addressed the security vulnerability\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2020-4329](<https://vulners.com/cve/CVE-2020-4329>) \n** DESCRIPTION: **IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0 and Liberty 17.0.0.3 through 20.0.0.4 could allow a remote, authenticated attacker to obtain sensitive information, caused by improper parameter checking. This could be exploited to conduct spoofing attacks. IBM X-Force ID: 177841. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/177841](<https://exchange.xforce.ibmcloud.com/vulnerabilities/177841>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Sterling B2B Integrator| 5.2.6.0 - 6.1.0.0 \n \n\n\n## Remediation/Fixes\n\n** Product & Version**| ** Remediation & Fix** \n---|--- \n5.2.6.0 - 6.1.0.0| For B2BAPI or myFilegateway 2.0 customers, apply IBM Sterling B2B Integrator version 6.0.3.3 or 6.1.0.1 on [Fix Central](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Other%2Bsoftware&product=ibm/Other+software/Sterling+B2B+Integrator&release=All&platform=All&function=all>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2022-05-13T14:58:22", "type": "ibm", "title": "Security Bulletin: Information Disclosure Security Vulnerability in WebSphere Application Server Affects IBM Sterling B2B Integrator (CVE-2020-4329)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-4329"], "modified": "2022-05-13T14:58:22", "id": "918EC90267CF1760ED229DE75BD576095419855F5087F191C08D402ADF7504D9", "href": "https://www.ibm.com/support/pages/node/6396082", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2023-06-05T17:52:37", "description": "## Summary\n\nWebSphere network security vulnerability in IBM Content Foundation on Cloud containers\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2020-4329](<https://vulners.com/cve/CVE-2020-4329>) \n** DESCRIPTION: **IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0 and Liberty 17.0.0.3 through 20.0.0.4 could allow a remote, authenticated attacker to obtain sensitive information, caused by improper parameter checking. This could be exploited to conduct spoofing attacks. IBM X-Force ID: 177841. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/177841](<https://exchange.xforce.ibmcloud.com/vulnerabilities/177841>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Content Foundation on Cloud| 5.5.0 \n \n## Remediation/Fixes\n\nWebSphere security vulnerabilities \n\nInstall WebSphere fix, or one of the below releases to resolve the security vulnerabilities.\n\n** Product**| ** VRMF**| ** APAR**| **Remediation/First Fix** \n---|---|---|--- \nIBM Content Foundation on Cloud| 5.5.3 \n5.5.4| [PJ46159](<https://www.ibm.com/support/pages/apar/PJ46159> \"PJ46159\" ) \n[PJ46159](<https://www.ibm.com/support/pages/apar/PJ46159> \"PJ46159\" )| 5.5.3.0-P8CPE-Container-IF003 - July 16, 2020 \n5.5.4.0-P8CPE-Container-IF002 - July 21, 2020 \n \n \nOnly versions covered by continuous support for fixes are listed. Please apply the listed update to remediate.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2022-07-25T20:39:06", "type": "ibm", "title": "Security Bulletin: WebSphere network security vulnerability in IBM Content Foundation on Cloud", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-4329"], "modified": "2022-07-25T20:39:06", "id": "ED45B3D03432EA991E20FCFB7B9FD0CD25D3E1B834197F239D900E5975F863A2", "href": "https://www.ibm.com/support/pages/node/6209092", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2023-06-05T17:50:12", "description": "## Summary\n\nWebSphere Application Server traditional is shipped as a component of IBM Business Automation Workflow, IBM Business Process Manager, and WebSphere Enterprise Service Bus. WebSphere Application Server Liberty profile is shipped as a component of IBM Business Automation Workflow and IBM Business Process Manager. Information about a security vulnerability affecting IBM WebSphere Application Server Traditional and Liberty profile have been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Business Automation Workflow| V19.0 \nV18.0 \nIBM Business Process Manager| V8.6 \nV8.5 \nV8.0 \nWebSphere Enterprise Service Bus| V7.5 \nV7.0 \n \nFor earlier and unsupported versions of the products, IBM recommends upgrading to a fixed, supported version of the product.\n\nNote that Cumulative Fixes cannot automatically install interim fixes for the base Application Server. It is important to follow the complete installation instructions and manually ensure that recommended security fixes are installed.\n\n## Remediation/Fixes\n\nPlease consult the [Security Bulletin: Information disclosure in WebSphere Application Server (CVE-2020-4329)](<https://www.ibm.com/support/pages/security-bulletin-information-disclosure-websphere-application-server-cve-2020-4329> \"Security Bulletin: Information disclosure in WebSphere Application Server \$CVE-2020-4329\$\" ) for vulnerability details and information about fixes.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2022-09-14T15:28:14", "type": "ibm", "title": "Security Bulletin: A vulnerability has been identified in IBM WebSphere Application Server traditional and Liberty profile shipped with IBM Digital Business Automation Workflow family products (CVE-2020-4329)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-4329"], "modified": "2022-09-14T15:28:14", "id": "C60289D204614CD6F487491D985F924542C108BE5DDA61A136A99A5BF2EE3F15", "href": "https://www.ibm.com/support/pages/node/6202785", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2023-06-05T17:41:51", "description": "## Summary\n\nIBM CICS TX on Cloud has addressed the following vulnerabilities reported by IBM\u00ae WebSphere Application Server Liberty \n\n## Vulnerability Details\n\n** CVEID: **[CVE-2020-4329](<https://vulners.com/cve/CVE-2020-4329>) \n** DESCRIPTION: **IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0 and Liberty 17.0.0.3 through 20.0.0.4 could allow a remote, authenticated attacker to obtain sensitive information, caused by improper parameter checking. This could be exploited to conduct spoofing attacks. IBM X-Force ID: 177841. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/177841](<https://exchange.xforce.ibmcloud.com/vulnerabilities/177841>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM CICS TX on Cloud| 10.1.0.0 \n \n\n\n## Remediation/Fixes\n\nProduct| Version| Defect| Remediation / First Fix \n---|---|---|--- \nIBM CICS TX on Cloud| 10.1.0.0| 126343| [Fix Central Link](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FCICS+TX+on+Cloud&fixids=IBM_CICSTX_on_Cloud_SpecialFIX_liberty_082020&source=SAR>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2023-02-14T20:51:49", "type": "ibm", "title": "Security Bulletin: WebSphere Application Server is vulnerable for information disclosure that affect IBM CICS TX on Cloud", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-4329"], "modified": "2023-02-14T20:51:49", "id": "03A21E2CEB2AE80B0CB3845788EE2C252B219A2161281A588F3A3FABD346F890", "href": "https://www.ibm.com/support/pages/node/6320839", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2023-06-05T17:57:14", "description": "## Summary\n\nWebSphere Application Server Liberty could allow a remote, authenticated attacker to obtain sensitive information caused by improper paramater checking which affects IBM Spectrum Control.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2020-4329](<https://vulners.com/cve/CVE-2020-4329>) \n** DESCRIPTION: **IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0 and Liberty 17.0.0.3 through 20.0.0.4 could allow a remote, authenticated attacker to obtain sensitive information, caused by improper parameter checking. This could be exploited to conduct spoofing attacks. IBM X-Force ID: 177841. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/177841](<https://exchange.xforce.ibmcloud.com/vulnerabilities/177841>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)\n\n## Affected Products and Versions\n\n**Affected Product(s)**| **Version(s)** \n---|--- \nIBM Spectrum Control| 5.3.1 -5.3.7 \n \n## Remediation/Fixes\n\nThe solution is to apply an appropriate IBM Spectrum Control fix. Click on the download link and follow the Installation Instructions. The solution should be implemented as soon as practicable.\n\n** Release**| **First Fixing** \n**VRM Level**| ** Link to Fix** \n---|---|--- \n5.4| 5.4.0| <http://www.ibm.com/support/docview.wss?uid=swg21320822#53_0> \n \n**Note:** It is always recommended to have a current backup before applying any update procedure.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2022-03-23T22:07:22", "type": "ibm", "title": "Security Bulletin: Vulnerability in WebSphere Application Server Liberty affects IBM Spectrum Control (CVE-2020-4329)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-4329"], "modified": "2022-03-23T22:07:22", "id": "F4188E3B827097B5726FE571691C7D8BDE2707668C61436452DE873879AB6FA6", "href": "https://www.ibm.com/support/pages/node/6261325", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2023-02-27T21:50:38", "description": "## Summary\n\nWebSphere Application Server is shipped as a component of IBM Security Key Lifecycle Manager (SKLM). Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s) | Version(s) | WebSphere Version \n---|---|--- \nIBM Security Key Lifecycle Manager | 4.0 | 9.0.5 \nIBM Security Key Lifecycle Manager | 3.0.1 | 9.0.0.5 \nIBM Security Key Lifecycle Manager | 3.0 | 9.0.0.5 \nIBM Security Key Lifecycle Manager | 2.7 | 9.0.0.1 \n \n## Remediation/Fixes\n\nPlease consult the following bulletins: \n\n[Security Bulletin: Classloader Manipulation Vulnerability in IBM WebSphere Application Server CVE-2014-0114](<https://www.ibm.com/support/pages/security-bulletin-classloader-manipulation-vulnerability-ibm-websphere-application-server-cve-2014-0114> \"Security Bulletin: Classloader Manipulation Vulnerability in IBM WebSphere Application Server CVE-2014-0114\" )\n\n[Security Bulletin: WebSphere Application Server is vulnerable to Apache Commons Beanutils (CVE-2019-10086)](<https://www.ibm.com/support/pages/security-bulletin-websphere-application-server-vulnerable-apache-commons-beanutils-cve-2019-10086-0> \"Security Bulletin: WebSphere Application Server is vulnerable to Apache Commons Beanutils \$CVE-2019-10086\$\" )\n\nfor vulnerability details and information about fixes.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2020-09-26T18:11:53", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Security Key Lifecycle Manager (SKLM) (CVE-2014-0114, CVE-2019-10086)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0114", "CVE-2019-10086"], "modified": "2020-09-26T18:11:53", "id": "790AEE8158E5072311EE0B1D8C1CACC2CAE27CA8C7B75F39AD990B40790CFB8C", "href": "https://www.ibm.com/support/pages/node/6338459", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-24T01:38:09", "description": "## Summary\n\nIn the WebSphere Application Server Admin console where the Rational Asset Manager is deployed, a potential security vulnerabilities are identified. Information about this security vulnerability affecting WebSphere Application Server is published in the respective security bulletin. \n\n## Vulnerability Details\n\nRefer to the security bulletins listed in the **Remediation/Fixes** section.\n\n## Affected Products and Versions\n\n \nIBM Rational Asset Manager 7.5 and 7.5.1. \n \n**NOTE:** Rational Asset Manager 7.5.2 and later versions does not support embedded WebSphere Application Server.\n\n## Remediation/Fixes\n\nRefer to the following security bulletin for vulnerability details and information about fixes addressed by IBM WebSphere Application Server (WAS). \n\n\n**Affected Supporting Product**\n\n| \n\n**Affected Supporting Product Security Bulletin** \n \n---|--- \nIBM WebSphere Application Server Version 7.0, 8.0, 8.5, and 9.0. | _[Security Bulletin: WebSphere Application Server is vulnerable to Apache Commons Beanutils (CVE-2019-10086)](<https://www.ibm.com/support/pages/security-bulletin-websphere-application-server-vulnerable-apache-commons-beanutils-cve-2019-10086-0>)_ \nIBM WebSphere Application Server Version 7.0, 8.0, 8.5, 9.0, and Liberty | _[Security Bulletin: Information disclosure vulnerability in WebSphere Application Server (CVE-2019-4441)](<https://www.ibm.com/support/pages/node/959023>)_ \n \n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2020-02-13T10:36:28", "type": "ibm", "title": "Security Bulletin: Security vulnerabilities is identified in WebSphere Application Server where Rational Asset Manager is deployed (CVE-2019-10086 and CVE-2019-4441)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086", "CVE-2019-4441"], "modified": "2020-02-13T10:36:28", "id": "9D474CFA28D8B0313A49C799D05622C172F9872EA0EAE8F12773DAC4E1DEF768", "href": "https://www.ibm.com/support/pages/node/1135768", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-04T17:48:07", "description": "## Summary\n\nIBM Security Guardium has fixed these vulnerabilities. \n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-41617](<https://vulners.com/cve/CVE-2021-41617>) \n** DESCRIPTION: **OpenSSH could allow a local attacker to gain elevated privileges on the system, caused by an error in sshd when certain non-default configurations are used. By executing an AuthorizedKeysCommand or AuthorizedPrincipalsCommand, where a AuthorizedKeysCommandUser or AuthorizedPrincipalsCommandUser directive has been set to run the command as a non-root user, an attacker could exploit this vulnerability to gain privileges associated with group memberships of the sshd process. \nCVSS Base score: 7.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/210062](<https://exchange.xforce.ibmcloud.com/vulnerabilities/210062>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2019-10086](<https://vulners.com/cve/CVE-2019-10086>) \n** DESCRIPTION: **Apache Commons Beanutils could allow a remote attacker to gain unauthorized access to the system, caused by the failure to suppresses the class property in bean introspection by default. An attacker could exploit this vulnerability to gain unauthorized access to the classloader. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/166353](<https://exchange.xforce.ibmcloud.com/vulnerabilities/166353>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n## Affected Products and Versions\n\n**Affected Product(s)**| **Version(s)** \n---|--- \nIBM Security Guardium| 11.4 \n \n\n\n## Remediation/Fixes\n\nIBM encourages customers to update their systems promptly. \n\n** Product**| **Versions**| ** Fix** \n---|---|--- \nIBM Security Guardium| 11.4| [http://www.ibm.com/support/fixcentral/swg/quickorder?parent=IBM%20Security&product=ibm/Information+Management/InfoSphere+Guardium&release=11.0&platform=Linux&function=fixId&fixids=SqlGuard_11.0p430_Bundle_Apr-28-2022&includeSupersedes=0&source=fc](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=IBM%20Security&product=ibm/Information+Management/InfoSphere+Guardium&release=11.0&platform=Linux&function=fixId&fixids=SqlGuard_11.0p430_Bundle_Apr-28-2022&includeSupersedes=0&source=fc>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2022-06-23T16:59:04", "type": "ibm", "title": "Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities (CVE-2019-10086, CVE-2021-41617)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086", "CVE-2021-41617"], "modified": "2022-06-23T16:59:04", "id": "90CF485116A952ADEC5B5A85E722DF33D1556D18AE9C7D1F5699712F4EB9F66A", "href": "https://www.ibm.com/support/pages/node/6597283", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-05T13:39:29", "description": "## Summary\n\nApache Commons Beanutils vulnerabilities could allow a remote attacker to gain unauthorized access to the system, caused by the failure to suppresses the class property in bean introspection by default. An attacker could exploit this vulnerability to gain unauthorized access to the classloader. This vulnerability has been addressed.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-10086](<https://vulners.com/cve/CVE-2019-10086>) \n** DESCRIPTION: **Apache Commons Beanutils could allow a remote attacker to gain unauthorized access to the system, caused by the failure to suppresses the class property in bean introspection by default. An attacker could exploit this vulnerability to gain unauthorized access to the classloader. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/166353](<https://exchange.xforce.ibmcloud.com/vulnerabilities/166353>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2014-0114](<https://vulners.com/cve/CVE-2014-0114>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to restrict the setting of Class Loader attributes. An attacker could exploit this vulnerability using the class parameter of an ActionForm object to manipulate the ClassLoader and execute arbitrary code on the system. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/92889](<https://exchange.xforce.ibmcloud.com/vulnerabilities/92889>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \neDiscovery Manager| 2.2.2 \n \n\n\n## Remediation/Fixes\n\nProduct \n\n| VRM| Remediation \n---|---|--- \nIBM eDiscovery Manager| 2.2.2| Use IBM eDiscovery Manager 2.2.2.3 [Interim Fix 007](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FInfoSphere+eDiscovery+Manager&fixids=2.2.2.3-EDM-WIN-IF007&source=SAR> \"Interim Fix 007\" ) for Windows \n\nUse IBM eDiscovery Manager 2.2.2.3 [Interim Fix 007](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FInfoSphere+eDiscovery+Manager&fixids=2.2.2.3-EDM-AIX-IF007&source=SAR> \"Interim Fix 007\" ) for AIX \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2023-03-10T05:09:21", "type": "ibm", "title": "Security Bulletin: Apache Commons Beanutils (Publicly disclosed vulnerability) affects IBM eDiscovery Manager (CVE-2019-10086, CVE-2014-0114)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0114", "CVE-2019-10086"], "modified": "2023-03-10T05:09:21", "id": "5041F3D5141A619380512BA58DDE4E2250632BFCFF26D7B947F0A03A7FFC021B", "href": "https://www.ibm.com/support/pages/node/6962723", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-05T13:40:08", "description": "## Summary\n\nIBM B2B Advanced Communications has addressed vulnerabilities in Apache Common BeanUtils shipped with product.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2014-0114](<https://vulners.com/cve/CVE-2014-0114>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to restrict the setting of Class Loader attributes. An attacker could exploit this vulnerability using the class parameter of an ActionForm object to manipulate the ClassLoader and execute arbitrary code on the system. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/92889](<https://exchange.xforce.ibmcloud.com/vulnerabilities/92889>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) \n \n** CVEID: **[CVE-2019-10086](<https://vulners.com/cve/CVE-2019-10086>) \n** DESCRIPTION: **Apache Commons Beanutils could allow a remote attacker to gain unauthorized access to the system, caused by the failure to suppresses the class property in bean introspection by default. An attacker could exploit this vulnerability to gain unauthorized access to the classloader. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/166353](<https://exchange.xforce.ibmcloud.com/vulnerabilities/166353>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n## Affected Products and Versions\n\n**Affected Product(s)**| **Version(s)** \n---|--- \nIBM B2B Advanced Communications| 1.0.0.x \nIBM Multi-Enterprise Integration Gateway| 1.0.0.1 \n \n\n\n## Remediation/Fixes\n\n**Product** | \n\n**Version**\n\n| \n\n**Remediation** \n \n---|---|--- \n \nIBM B2B Advanced Communications\n\n| \n\n1.0.0.x\n\n| Apply fix pack [1.0.0.8](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Other%20software&product=ibm/Other+software/Multi-Enterprise+Integration+Gateway&release=1.0.0.7&platform=All&function=fixId&fixids=IBM_B2B_Advanced_Communications_V1.0.0.8_FixPack_Media&includeSupersedes=0> \"1.0.0.8\" ) \nIBM Multi-Enterprise Integration Gateway| \n\n1.0.0.1\n\n| Apply fix pack [1.0.0.8 ](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Other%20software&product=ibm/Other+software/Multi-Enterprise+Integration+Gateway&release=1.0.0.7&platform=All&function=fixId&fixids=IBM_B2B_Advanced_Communications_V1.0.0.8_FixPack_Media&includeSupersedes=0> \"1.0.0.8\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2023-02-20T06:09:39", "type": "ibm", "title": "Security Bulletin: IBM B2B Advanced Communications is vulnerable to multiple issues due to Apache Commons BeanUtils (CVE-2014-0114, CVE-2019-10086)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0114", "CVE-2019-10086"], "modified": "2023-02-20T06:09:39", "id": "376BF79A42FDC2B79EA0ACE3299D7D2BC084C5F6732575256A96FE46F43D836F", "href": "https://www.ibm.com/support/pages/node/6956838", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-05T13:57:14", "description": "## Summary\n\nIBM Sterling B2B Integrator has addressed the security vulnerabilities.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2014-0114](<https://vulners.com/cve/CVE-2014-0114>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to restrict the setting of Class Loader attributes. An attacker could exploit this vulnerability using the class parameter of an ActionForm object to manipulate the ClassLoader and execute arbitrary code on the system. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/92889](<https://exchange.xforce.ibmcloud.com/vulnerabilities/92889>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) \n \n** CVEID: **[CVE-2019-10086](<https://vulners.com/cve/CVE-2019-10086>) \n** DESCRIPTION: **Apache Commons Beanutils could allow a remote attacker to gain unauthorized access to the system, caused by the failure to suppresses the class property in bean introspection by default. An attacker could exploit this vulnerability to gain unauthorized access to the classloader. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/166353](<https://exchange.xforce.ibmcloud.com/vulnerabilities/166353>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| APAR(s)| Version(s) \n---|---|--- \nIBM Sterling B2B Integrator| IT37693| 5.2.0.0 - 5.2.6.5_4 \nIBM Sterling B2B Integrator| IT37693| 6.0.0.0 - 6.0.0.6, 6.0.1.0 - 6.0.3.4 \nIBM Sterling B2B Integrator| IT37693| 6.1.0.0 - 6.1.0.3 \n \n\n\n## Remediation/Fixes\n\nProduct & Version| Remediation & Fix \n---|--- \n5.2.0.0 - 5.2.6.5_4| Apply IBM Sterling B2B Integrator version 6.0.0.7, 6.0.3.5, 6.1.1.0 on [Fix Central](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Other%2Bsoftware&product=ibm/Other+software/Sterling+B2B+Integrator&release=All&platform=All&function=all>) \n6.0.0.0 - 6.0.0.6, 6.0.1.0 - 6.0.3.4| Apply IBM Sterling B2B Integrator version 6.0.0.7, 6.0.3.5, or 6.1.1.0 on [Fix Central](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Other%2Bsoftware&product=ibm/Other+software/Sterling+B2B+Integrator&release=All&platform=All&function=all>) \n6.1.0.0 - 6.1.0.3| Apply IBM Sterling B2B Integrator version 6.1.1.0 on [Fix Central](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Other%2Bsoftware&product=ibm/Other+software/Sterling+B2B+Integrator&release=All&platform=All&function=all>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2021-10-05T20:46:28", "type": "ibm", "title": "Security Bulletin: Apache Commons BeanUtils Vulnerabilities Affect IBM Sterling B2B Integrator (CVE-2014-0114, CVE-2019-10086)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0114", "CVE-2019-10086"], "modified": "2021-10-05T20:46:28", "id": "7BE38BC9D9063F34BE9B8AEC73F5518E1D7B0EC8F35109DB2E64EBA48061A6DB", "href": "https://www.ibm.com/support/pages/node/6495947", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-05T17:38:37", "description": "## Summary\n\nThis Security Bulletin addresses the security vulnerabilities that have been fixed within the IBM Operational Decision Manager. This product now includes fixes for the following security vulnerabilities.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2023-24998](<https://vulners.com/cve/CVE-2023-24998>) \n** DESCRIPTION: **Apache Commons FileUpload and Tomcat are vulnerable to a denial of service, caused by not limit the number of request parts to be processed in the file upload function. By sending a specially-crafted request with series of uploads, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/247895](<https://exchange.xforce.ibmcloud.com/vulnerabilities/247895>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2019-10086](<https://vulners.com/cve/CVE-2019-10086>) \n** DESCRIPTION: **Apache Commons Beanutils could allow a remote attacker to gain unauthorized access to the system, caused by the failure to suppresses the class property in bean introspection by default. An attacker could exploit this vulnerability to gain unauthorized access to the classloader. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/166353](<https://exchange.xforce.ibmcloud.com/vulnerabilities/166353>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2014-0114](<https://vulners.com/cve/CVE-2014-0114>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to restrict the setting of Class Loader attributes. An attacker could exploit this vulnerability using the class parameter of an ActionForm object to manipulate the ClassLoader and execute arbitrary code on the system. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/92889](<https://exchange.xforce.ibmcloud.com/vulnerabilities/92889>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Operational Decision Manager| 8.10.x \nIBM Operational Decision Manager| 8.11.x \n \n\n\n## Remediation/Fixes\n\nIBM Operational Decision Manager V8.10.5.1: \nInterim fix 33 for DT198215 is available from [IBM Fix Central](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+Operational+Decision+Management&release=8.10.5.1&platform=All&function=all>): \n\n * 8.10.5.1-WS-ODM_K8S-PPC64LE-IF033\n * 8.10.5.1-WS-ODM_K8S-PPC64LE-IF033\n * 8.10.5.1-WS-ODM_K8S-LIN_X86-IF033\n * 8.10.5.1-WS-ODM_DC-IF033\n * 8.10.5.1-WS-ODM_DS-IF033\n\nIBM Operational Decision Manager V8.11.0.1: \nInterim fix 15 for DT198215 is available from [IBM Fix Central](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EWebSphere&product=ibm/WebSphere/WebSphere+Operational+Decision+Management&release=8.11.0.1&platform=All&function=all>):\n\n * 8.11.0.1-WS-ODM-IF015\n * 8.11.0.1-WS-ODM_K8S-PPC64LE-IF015\n * 8.11.0.1-WS-ODM_K8S-LIN_S390-IF015\n * 8.11.0.1-WS-ODM_K8S-LIN_X86-IF015\n\nIBM Operational Decision Manager V8.11.1: \nInterim fix 4 for DT198215 is available from [IBM Fix Central](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EWebSphere&product=ibm/WebSphere/WebSphere+Operational+Decision+Management&release=8.11.1.0&platform=All&function=all>):\n\n * 8.11.1.0-WS-ODM_K8S-LIN_S390-IF004\n * 8.11.1.0-WS-ODM_K8S-PPC64LE-IF004\n * 8.11.1.0-WS-ODM_K8S-LIN_X86-IF004\n * 8.11.1.0-WS-ODM-IF004\n\nNote: interim fix are cumulative, all newer version of this interim fixes includes the fix listed here. \n\n## Workarounds and Mitigations\n\nIBM Operational Decision Manager is delivered following the continuous delivery support model which means older version do not all receive interim fixes. \n\nIf using a version of 8.10.x prior to 8.10.5.1 you must update to this version to be able to install this interim fix.\n\nIf using a version of 8.11.x prior to 8.11.0.1 you must update to this version to be able to install this interim fix.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2023-04-11T14:02:03", "type": "ibm", "title": "Security Bulletin: IBM Operational Decision Manager March 2023 - CVE-2014-0114, CVE-2019-10086, CVE-2023-24998", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0114", "CVE-2019-10086", "CVE-2023-24998"], "modified": "2023-04-11T14:02:03", "id": "0BC017C730A770E349E300089D6DB71D200CA299BDBFA58821787583FA3F9DB1", "href": "https://www.ibm.com/support/pages/node/6982881", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-23T21:41:31", "description": "## Summary\n\nIBM Business Automation Workflow has addressed the following security vulnerabilities with the embedded Content Navigator. For more information, refer to the X-Force database entries referred to below.\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2019-4263](<https://vulners.com/cve/CVE-2019-4263>) \n**DESCRIPTION:** IBM Content Navigator is vulnerable to local file inclusion, allowing an attacker to access a configuration file in the ICN server. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/160015> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) \n\n\n**CVEID:** [CVE-2019-10086](<https://vulners.com/cve/CVE-2019-10086>) \n**DESCRIPTION:** Apache Commons Beanutils could allow a remote attacker to gain unauthorized access to the system, caused by the failure to suppresses the class property in bean introspection by default. An attacker could exploit this vulnerability to gain unauthorized access to the classloader. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/166353> for more information \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n**CVEID:** [CVE-2019-12402](<https://vulners.com/cve/CVE-2019-12402>) \n**DESCRIPTION:** Apache Commons Compress is vulnerable to a denial of service, caused by an error in the internal file name encoding algorithm. By persuading a victim to open specially crafted ZIP archive containing malicious input, a remote attacker could exploit this vulnerability to cause the application to enter into an infinite loop. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/165956> for more information \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n\n\n## Affected Products and Versions\n\nIBM Business Automation Workflow V18.0.0.1 through V19.0.0.2\n\nNote: CVE-2019-4263 does not affect IBM Business Automation Workflow V19.0.0.2 or later.\n\n## Remediation/Fixes\n\nInstall interim fix [JR61368](<http://www.ibm.com/support/docview.wss?uid=swg1JR61368>) as appropriate for your current IBM Business Automation Workflow.\n\n * [IBM Business Automation Workflow](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/IBM+Business+Automation+Workflow&release=All&platform=All&function=aparId&apars=JR61368>)\n\n \n**For IBM Business Automation Workflow V18.0.0.1 - V19.0.0.2** \n\u00b7 Upgrade to at least IBM Business Automation Workflow V18.0.0.1 as required by iFix and then apply iFix [JR61368](<http://www.ibm.com/support/docview.wss?uid=swg1JR61368>) \n\\--OR-- \n**\u00b7** Apply cumulative fix IBM Business Automation Workflow V19.0.0.3 (latest recommended)\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2019-12-18T18:15:16", "type": "ibm", "title": "Security Bulletin: Security vulnerabilities has been identified with the embedded Content Navigator used by IBM Business Automation Workflow (CVE 2019-4263, CVE-2019-10086, CVE-2019-12402)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086", "CVE-2019-12402", "CVE-2019-4263"], "modified": "2019-12-18T18:15:16", "id": "B7B1A8DAB1A897FBFE8F37F46B5A9BAA67F914F715D69E265E2F4E7D8FBB16AF", "href": "https://www.ibm.com/support/pages/node/967663", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-27T21:55:29", "description": "## Summary\n\nIBM WebSphere Application Server (WAS) is used by the IBM Rational ClearQuest server and web components. Information about security vulnerabilities affecting WAS have been published in multiple security bulletins. \n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s) | Version(s) \n---|--- \nIBM Rational ClearQuest | 8.0.0 \nIBM Rational ClearQuest | 8.0.1 \nIBM Rational ClearQuest | 9.0 \nIBM Rational ClearQuest | 9.0.1 \nIBM Rational ClearQuest | 9.0.2 \n \n## Remediation/Fixes\n\nRefer to the following security bulletin(s) for vulnerability details and information about fixes addressed by IBM WebSphere Application Server (WAS), which is used by IBM Rational ClearQuest. \n\n**Principal Product and Version(s)** | **Affected Supporting Product and Version** | **Affected Supporting Product Security Bulletin** \n---|---|--- \nIBM Rational ClearQuest, versions 8.0.0.x, 8.0.1.x, 9.0.0.x, 9.0.1.x, 9.0.2.x | IBM WebSphere Application Server versions 7.0, 8.0, 8.5 and 9.0. | \n\n[Security Bulletin: Privilege Escalation Vulnerability in WebSphere Application Server (CVE-2020-4276)](<https://www.ibm.com/support/pages/node/6118222> \"Security Bulletin: Privilege Escalation Vulnerability in WebSphere Application Server \$CVE-2020-4276\$\" )\n\n[Security Bulletin: Privilege Escalation Vulnerability in WebSphere Application Server (CVE-2020-4362)](<https://www.ibm.com/support/pages/node/6174417> \"Security Bulletin: Privilege Escalation Vulnerability in WebSphere Application Server \$CVE-2020-4362\$\" )\n\n[Security Bulletin: Information disclosure in WebSphere Application Server (CVE-2020-4329)](<https://www.ibm.com/support/pages/node/6201862> \"Security Bulletin: Information disclosure in WebSphere Application Server \$CVE-2020-4329\$\" ) \n \n**ClearQuest Versions**\n\n| \n\n**Applying the fix** \n \n---|--- \n8.0.0.x, 8.0.1.x, 9.0.0.x, 9.0.1.x, 9.0.2.x | Apply the appropriate IBM WebSphere Application Server fix (see bulletin link above) directly to your CM server host. No ClearQuest-specific steps are necessary. \n \n_For 8.0.x, 7.0.x, 7.1.x and earlier releases, IBM recommends upgrading to a fixed, supported version/release/platform of the product._\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-05-25T04:34:43", "type": "ibm", "title": "Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server used by IBM Rational ClearQuest (CVE-2020-4276, CVE-2020-4362, CVE-2020-4329)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-4276", "CVE-2020-4329", "CVE-2020-4362"], "modified": "2020-05-25T04:34:43", "id": "9597A8DA413DEA047F25252B086CCCDA7543FCBC7042D730228D872AF048DEA1", "href": "https://www.ibm.com/support/pages/node/6216024", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-02-27T21:50:53", "description": "## Summary\n\nWebSphere Application Server is shipped with IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise. Vulnerabilities have been identified in WebSphere Application Server and the information about their fixes are published in security bulletins. \n\n## Vulnerability Details\n\n** CVEID: **[CVE-2020-4449](<https://vulners.com/cve/CVE-2020-4449>) \n** DESCRIPTION: **IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 traditional could allow a remote attacker to obtain sensitive information with a specially-crafted sequence of serialized objects. IBM X-Force ID: 181230. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181230](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181230>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2020-4365](<https://vulners.com/cve/CVE-2020-4365>) \n** DESCRIPTION: **IBM WebSphere Application Server 8.5 is vulnerable to server-side request forgery. By sending a specially crafted request, a remote authenticated attacker could exploit this vulnerability to obtain sensitive data. IBM X-Force ID: 178964. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/178964](<https://exchange.xforce.ibmcloud.com/vulnerabilities/178964>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2020-4276](<https://vulners.com/cve/CVE-2020-4276>) \n** DESCRIPTION: **IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 traditional is vulnerable to a privilege escalation vulnerability when using token-based authentication in an admin request over the SOAP connector. X-Force ID: 175984. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/175984](<https://exchange.xforce.ibmcloud.com/vulnerabilities/175984>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2019-4670](<https://vulners.com/cve/CVE-2019-4670>) \n** DESCRIPTION: **IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to obtain sensitive information caused by improper data representation. IBM X-Force ID: 171319. \nCVSS Base score: 6.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/171319](<https://exchange.xforce.ibmcloud.com/vulnerabilities/171319>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2020-4448](<https://vulners.com/cve/CVE-2020-4448>) \n** DESCRIPTION: **IBM WebSphere Application Server Network Deployment 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to execute arbitrary code on the system with a specially-crafted sequence of serialized objects from untrusted sources. IBM X-Force ID: 181228. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181228](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181228>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-4362](<https://vulners.com/cve/CVE-2020-4362>) \n** DESCRIPTION: **IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 traditional is vulnerable to a privilege escalation vulnerability when using token-based authentication in an admin request over the SOAP connector. IBM X-Force ID: 178929. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/178929](<https://exchange.xforce.ibmcloud.com/vulnerabilities/178929>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-4450](<https://vulners.com/cve/CVE-2020-4450>) \n** DESCRIPTION: **IBM WebSphere Application Server 8.5 and 9.0 traditional could allow a remote attacker to execute arbitrary code on the system with a specially-crafted sequence of serialized objects. IBM X-Force ID: 181231. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181231](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181231>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2019-10086](<https://vulners.com/cve/CVE-2019-10086>) \n** DESCRIPTION: **Apache Commons Beanutils could allow a remote attacker to gain unauthorized access to the system, caused by the failure to suppresses the class property in bean introspection by default. An attacker could exploit this vulnerability to gain unauthorized access to the classloader. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/166353](<https://exchange.xforce.ibmcloud.com/vulnerabilities/166353>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2020-4329](<https://vulners.com/cve/CVE-2020-4329>) \n** DESCRIPTION: **IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0 and Liberty 17.0.0.3 through 20.0.0.4 could allow a remote, authenticated attacker to obtain sensitive information, caused by improper parameter checking. This could be exploited to conduct spoofing attacks. IBM X-Force ID: 177841. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/177841](<https://exchange.xforce.ibmcloud.com/vulnerabilities/177841>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2019-4720](<https://vulners.com/cve/CVE-2019-4720>) \n** DESCRIPTION: **IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to a denial of service, caused by sending a specially-crafted request. A remote attacker could exploit this vulnerability to cause the server to consume all available memory. IBM X-Force ID: 172125. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/172125](<https://exchange.xforce.ibmcloud.com/vulnerabilities/172125>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nCloud Orchestrator| 2.5.0.10 \n \n\n\n## Remediation/Fixes\n\nThe recommended solution is to manually upgrade to the appropriate WebSphere Application Server Interim Fix on IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise 2.5.0.10. \n\nConsult the following WebSphere Application Server security bulletins for the vulnerability details and information about their fixes:\n\n * [Security Bulletin: WebSphere Application Server is vulnerable to an information exposure vulnerability (CVE-2020-4449)](<https://www.ibm.com/support/pages/node/6220296> \"Security Bulletin: WebSphere Application Server is vulnerable to an information exposure vulnerability \$CVE-2020-4449\$\" )\n * [Security Bulletin: WebSphere Application Server is vulnerable to a remote code execution vulnerability (CVE-2020-4450)](<https://www.ibm.com/support/pages/node/6220294> \"Security Bulletin: WebSphere Application Server is vulnerable to a remote code execution vulnerability \$CVE-2020-4450\$\" )\n * [Security Bulletin: Information Disclosure in WebSphere Application Server Admin Console (CVE-2019-4670) ](<https://www.ibm.com/support/pages/node/1289152> \"Security Bulletin: Information Disclosure in WebSphere Application Server Admin Console \$CVE-2019-4670\$\" )\n * [Security Bulletin: Remote code execution vulnerability in WebSphere Application Server ND (CVE-2020-4448)](<https://www.ibm.com/support/pages/node/6220336> \"Security Bulletin: Remote code execution vulnerability in WebSphere Application Server ND \$CVE-2020-4448\$\" )\n * [Security Bulletin: WebSphere Application Server is vulnerable to a server-side request forgery vulnerability (CVE-2020-4365)](<https://www.ibm.com/support/pages/node/6209099> \"Security Bulletin: WebSphere Application Server is vulnerable to a server-side request forgery vulnerability \$CVE-2020-4365\$\" )\n * [Security Bulletin: WebSphere Application Server is vulnerable to a denial of service (CVE-2019-4720)](<https://www.ibm.com/support/pages/node/1285372> \"Security Bulletin: WebSphere Application Server is vulnerable to a denial of service \$CVE-2019-4720\$\" )\n * [Security Bulletin: Privilege Escalation Vulnerability in WebSphere Application Server (CVE-2020-4362)](<https://www.ibm.com/support/pages/node/6174417> \"Security Bulletin: Privilege Escalation Vulnerability in WebSphere Application Server \$CVE-2020-4362\$\" )\n * [Security Bulletin: Information disclosure in WebSphere Application Server (CVE-2020-4329)](<https://www.ibm.com/support/pages/node/6201862> \"Security Bulletin: Information disclosure in WebSphere Application Server \$CVE-2020-4329\$\" )\n * [Security Bulletin: Privilege Escalation Vulnerability in WebSphere Application Server (CVE-2020-4276)](<https://www.ibm.com/support/pages/node/6118222> \"Security Bulletin: Privilege Escalation Vulnerability in WebSphere Application Server \$CVE-2020-4276\$\" )\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-09-16T09:19:38", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in WebSphere Application Server affect IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086", "CVE-2019-4670", "CVE-2019-4720", "CVE-2020-4276", "CVE-2020-4329", "CVE-2020-4362", "CVE-2020-4365", "CVE-2020-4448", "CVE-2020-4449", "CVE-2020-4450"], "modified": "2020-09-16T09:19:38", "id": "86BC382413D13FEC49BBCF5FC0129F8B83C058E0C0CDD0CFC599911E284C4FA7", "href": "https://www.ibm.com/support/pages/node/6333467", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-05T17:44:36", "description": "## Summary\n\nThe following security issues have been identified in the WebSphere Application Server and IHS server included as part of IBM Tivoli Monitoring (ITM) portal server. \n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-4670](<https://vulners.com/cve/CVE-2019-4670>) \n** DESCRIPTION: **IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to obtain sensitive information caused by improper data representation. IBM X-Force ID: 171319. \nCVSS Base score: 6.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/171319](<https://exchange.xforce.ibmcloud.com/vulnerabilities/171319>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2020-4163](<https://vulners.com/cve/CVE-2020-4163>) \n** DESCRIPTION: **IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0, under specialized conditions, could allow an authenticated user to create a maliciously crafted file name which would be misinterpreted as jsp content and executed. IBM X-Force ID: 174397. \nCVSS Base score: 6.6 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/174397](<https://exchange.xforce.ibmcloud.com/vulnerabilities/174397>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2019-10086](<https://vulners.com/cve/CVE-2019-10086>) \n** DESCRIPTION: **Apache Commons Beanutils could allow a remote attacker to gain unauthorized access to the system, caused by the failure to suppresses the class property in bean introspection by default. An attacker could exploit this vulnerability to gain unauthorized access to the classloader. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/166353](<https://exchange.xforce.ibmcloud.com/vulnerabilities/166353>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2020-4450](<https://vulners.com/cve/CVE-2020-4450>) \n** DESCRIPTION: **IBM WebSphere Application Server 8.5 and 9.0 traditional could allow a remote attacker to execute arbitrary code on the system with a specially-crafted sequence of serialized objects. IBM X-Force ID: 181231. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181231](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181231>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Tivoli Monitoring| 6.3.0 Fix Pack 7 Service Pack 5 \n \n\n\n## Remediation/Fixes\n\nFIX| VRMF| Remediation/Fix \n---|---|--- \n6.X.X-TIV-ITM_TEPS_EWAS-IHS_ALL_8.55.17.01| 6.3.0.x | <https://www.ibm.com/support/pages/node/6335265> \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-12-30T17:31:59", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities affect IBM Tivoli Monitoring embedded WebSphere Application and IHS server", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086", "CVE-2019-4670", "CVE-2020-4163", "CVE-2020-4450"], "modified": "2022-12-30T17:31:59", "id": "EA52924E34BCC16950981552A3FA767720FFB0ABD2C4348121C16E9BA6BD4C80", "href": "https://www.ibm.com/support/pages/node/6336437", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-27T21:55:14", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM WebSphere Application Server and WebSphere Application Server Liberty that affect IBM Engineering Products based on IBM Jazz technology. \n\n## Vulnerability Details\n\nRefer to the security bulletins(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nCLM| 6.0.6.1 \nCLM| 6.0.6 \nCLM| 6.0.2 \nELM| 7.0 \nRhapsody DM| 6.0.6 \nRhapsody DM| 6.0.6.1 \nRhapsody DM| 6.0.2 \nRDM| 7.0 \nDNG| 6.0.6 \nDNG| 6.0.6.1 \nDNG| 6.0.2 \nDOORS Next| 7.0 \nRTC| 6.0.2 \nRTC| 6.0.6.1 \nEWM| 7.0 \nRTC| 6.0.6 \nRQM| 6.0.6.1 \nRQM| 6.0.6 \nETM| 7.0.0 \nRQM| 6.0.2 \n \n\n\n## Remediation/Fixes\n\nThe IBM Jazz Team Server based Applications bundle different versions of IBM WebSphere Application Server with the available versions of the products, and in addition to the bundled version, some previous versions of WAS are also supported. Information about a security vulnerability affecting WAS has been published. \n\nFor ELM applications version 6.0 to 7.0 review the Security Bulletin below to determine if your WAS version is affected and the required remediation:\n\n[Security Bulletin: Privilege Escalation Vulnerability in WebSphere Application Server (CVE-2020-4362)](<https://www.ibm.com/support/pages/node/6174417> \"Security Bulletin: Privilege Escalation Vulnerability in WebSphere Application Server \$CVE-2020-4362\$\" )\n\n[Security Bulletin: Information disclosure in WebSphere Application Server (CVE-2020-4329)](<https://www.ibm.com/support/pages/node/6201862> \"Security Bulletin: Information disclosure in WebSphere Application Server \$CVE-2020-4329\$\" )\n\n[Security Bulletin: Potential spoofing attack in WebSphere Application Server (CVE-2020-4421)](<https://www.ibm.com/support/pages/node/6205926> \"Security Bulletin: Potential spoofing attack in WebSphere Application Server \$CVE-2020-4421\$\" )\n\n[Security Bulletin: WebSphere Application Server is vulnerable to a server-side request forgery vulnerability (CVE-2020-4365)](<https://www.ibm.com/support/pages/node/6209099> \"Security Bulletin: WebSphere Application Server is vulnerable to a server-side request forgery vulnerability \$CVE-2020-4365\$\" )\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-06-01T21:25:46", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM WebSphere Application Server and WebSphere Application Server Liberty affects IBM Engineering ELM products on IBM Jazz technology.", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-4329", "CVE-2020-4362", "CVE-2020-4365", "CVE-2020-4421"], "modified": "2020-06-01T21:25:46", "id": "D00CE0285A4F7F2D040FEB9E42204B251DB78A299D7FFC4E7348291016376C6E", "href": "https://www.ibm.com/support/pages/node/6218416", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-02-24T05:45:06", "description": "## Summary\n\nThere are vulnerabilities in IBM WebSphere Application Server Liberty that affect Rhapsody DM.\n\n## Vulnerability Details\n\nRefer to the security bulletins(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nRhapsody DM| 6.0.6 \nRhapsody DM| 6.0.6.1 \nRhapsody DM| 6.0.2 \n \n\n\n## Remediation/Fixes\n\nThe IBM Jazz Team Server based Applications bundle different versions of IBM WebSphere Application Server with the available versions of the products, and in addition to the bundled version, some previous versions of WAS are also supported. Information about a security vulnerability affecting WAS has been published. \n\nFor CLM applications version 6.0 to 6.0.6.1 review the Security Bulletin below to determine if your WAS version is affected and the required remediation:[ \n](<https://www.ibm.com/support/pages/node/1127367> \"Security Bulletin: WebSphere Application Server Liberty is vulnerable to Cross-site Scripting \$CVE-2019-4663\$\" )[ \n](<https://www.ibm.com/support/pages/node/1127367> \"Security Bulletin: WebSphere Application Server Liberty is vulnerable to Cross-site Scripting \$CVE-2019-4663\$\" )[Security Bulletin: WebSphere Application Server is vulnerable to Apache Commons Beanutils (CVE-2019-10086)](<https://www.ibm.com/support/pages/node/1115085> \"Security Bulletin: WebSphere Application Server is vulnerable to Apache Commons Beanutils \$CVE-2019-10086\$\" )\n\n[Security Bulletin: WebSphere Application Server is vulnerable to a denial of service (CVE-2019-4720)](<https://www.ibm.com/support/pages/node/1285372> \"Security Bulletin: WebSphere Application Server is vulnerable to a denial of service \$CVE-2019-4720\$\" )\n\n[Security Bulletin: Information Disclosure in WebSphere Application Server Admin Console (CVE-2019-4670)](<https://www.ibm.com/support/pages/node/1289152> \"Security Bulletin: Information Disclosure in WebSphere Application Server Admin Console \$CVE-2019-4670\$\" )\n\n[Security Bulletin: WebSphere Application Server is vulnerable to a command execution vulnerability (CVE-2020-4163)](<https://www.ibm.com/support/pages/node/1288786> \"Security Bulletin: WebSphere Application Server is vulnerable to a command execution vulnerability \$CVE-2020-4163\$\" )\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-02-13T14:42:12", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in WebSphere Application Server Liberty affect IBM Jazz technology", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086", "CVE-2019-4663", "CVE-2019-4670", "CVE-2019-4720", "CVE-2020-4163"], "modified": "2020-02-13T14:42:12", "id": "567625FF8DF333D5C563E40EDFFF9516FF13EA40EAFE9A2E68635850284A1A44", "href": "https://www.ibm.com/support/pages/node/2403987", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-27T21:45:55", "description": "## Summary\n\nThere are multiple vulnerabilities that affect IBM WebSphere Application Server shipped with IBM StoredIQ for Legal. These have been addressed in Fix Pack 2.0.3.13 of StoredIQ for Legal.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2020-4163](<https://vulners.com/cve/CVE-2020-4163>) \n** DESCRIPTION: **IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0, under specialized conditions, could allow an authenticated user to create a maliciously crafted file name which would be misinterpreted as jsp content and executed. IBM X-Force ID: 174397. \nCVSS Base score: 6.6 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/174397](<https://exchange.xforce.ibmcloud.com/vulnerabilities/174397>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-4329](<https://vulners.com/cve/CVE-2020-4329>) \n** DESCRIPTION: **IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0 and Liberty 17.0.0.3 through 20.0.0.4 could allow a remote, authenticated attacker to obtain sensitive information, caused by improper parameter checking. This could be exploited to conduct spoofing attacks. IBM X-Force ID: 177841. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/177841](<https://exchange.xforce.ibmcloud.com/vulnerabilities/177841>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2020-4782](<https://vulners.com/cve/CVE-2020-4782>) \n** DESCRIPTION: **IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing \"dot dot\" sequences (/../) to view arbitrary files on the system. \nCVSS Base score: 6.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/189213](<https://exchange.xforce.ibmcloud.com/vulnerabilities/189213>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2020-4534](<https://vulners.com/cve/CVE-2020-4534>) \n** DESCRIPTION: **IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a local authenticated attacker to gain elevated privileges on the system, caused by improper handling of UNC paths. By scheduling a task with a specially-crafted UNC path, an attacker could exploit this vulnerability to execute arbitrary code with higher privileges. IBM X-Force ID: 182808. \nCVSS Base score: 7.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/182808](<https://exchange.xforce.ibmcloud.com/vulnerabilities/182808>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-4450](<https://vulners.com/cve/CVE-2020-4450>) \n** DESCRIPTION: **IBM WebSphere Application Server 8.5 and 9.0 traditional could allow a remote attacker to execute arbitrary code on the system with a specially-crafted sequence of serialized objects. IBM X-Force ID: 181231. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181231](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181231>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-4362](<https://vulners.com/cve/CVE-2020-4362>) \n** DESCRIPTION: **IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 traditional is vulnerable to a privilege escalation vulnerability when using token-based authentication in an admin request over the SOAP connector. IBM X-Force ID: 178929. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/178929](<https://exchange.xforce.ibmcloud.com/vulnerabilities/178929>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-4589](<https://vulners.com/cve/CVE-2020-4589>) \n** DESCRIPTION: **IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to execute arbitrary code on the system with a specially-crafted sequence of serialized objects from untrusted sources. IBM X-Force ID: 184585. \nCVSS Base score: 8.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/184585](<https://exchange.xforce.ibmcloud.com/vulnerabilities/184585>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-4276](<https://vulners.com/cve/CVE-2020-4276>) \n** DESCRIPTION: **IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 traditional is vulnerable to a privilege escalation vulnerability when using token-based authentication in an admin request over the SOAP connector. X-Force ID: 175984. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/175984](<https://exchange.xforce.ibmcloud.com/vulnerabilities/175984>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2019-4720](<https://vulners.com/cve/CVE-2019-4720>) \n** DESCRIPTION: **IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to a denial of service, caused by sending a specially-crafted request. A remote attacker could exploit this vulnerability to cause the server to consume all available memory. IBM X-Force ID: 172125. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/172125](<https://exchange.xforce.ibmcloud.com/vulnerabilities/172125>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2019-10086](<https://vulners.com/cve/CVE-2019-10086>) \n** DESCRIPTION: **Apache Commons Beanutils could allow a remote attacker to gain unauthorized access to the system, caused by the failure to suppresses the class property in bean introspection by default. An attacker could exploit this vulnerability to gain unauthorized access to the classloader. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/166353](<https://exchange.xforce.ibmcloud.com/vulnerabilities/166353>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2020-4449](<https://vulners.com/cve/CVE-2020-4449>) \n** DESCRIPTION: **IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 traditional could allow a remote attacker to obtain sensitive information with a specially-crafted sequence of serialized objects. IBM X-Force ID: 181230. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181230](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181230>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2020-4365](<https://vulners.com/cve/CVE-2020-4365>) \n** DESCRIPTION: **IBM WebSphere Application Server 8.5 is vulnerable to server-side request forgery. By sending a specially crafted request, a remote authenticated attacker could exploit this vulnerability to obtain sensitive data. IBM X-Force ID: 178964. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/178964](<https://exchange.xforce.ibmcloud.com/vulnerabilities/178964>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2019-17566](<https://vulners.com/cve/CVE-2019-17566>) \n** DESCRIPTION: **Apache Batik is vulnerable to server-side request forgery, caused by improper input validation by the \"xlink:href\" attributes. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/183402](<https://exchange.xforce.ibmcloud.com/vulnerabilities/183402>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) \n \n** CVEID: **[CVE-2020-4643](<https://vulners.com/cve/CVE-2020-4643>) \n** DESCRIPTION: **IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information. IBM X-Force ID: 185590. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/185590](<https://exchange.xforce.ibmcloud.com/vulnerabilities/185590>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2019-4670](<https://vulners.com/cve/CVE-2019-4670>) \n** DESCRIPTION: **IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to obtain sensitive information caused by improper data representation. IBM X-Force ID: 171319. \nCVSS Base score: 6.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/171319](<https://exchange.xforce.ibmcloud.com/vulnerabilities/171319>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nStoredIQ for Legal| 2.0.3 \n \n\n\n## Remediation/Fixes\n\nApply fix pack 2.0.3.13 that is available from Fix Central <https://www.ibm.com/support/fixcentral/>\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-04T09:24:28", "type": "ibm", "title": "Security Bulletin: Multiple Vulnerabilities have been identified in IBM WebSphere Application Server shipped with IBM StoredIQ for Legal", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086", "CVE-2019-17566", "CVE-2019-4670", "CVE-2019-4720", "CVE-2020-4163", "CVE-2020-4276", "CVE-2020-4329", "CVE-2020-4362", "CVE-2020-4365", "CVE-2020-4449", "CVE-2020-4450", "CVE-2020-4534", "CVE-2020-4589", "CVE-2020-4643", "CVE-2020-4782"], "modified": "2021-03-04T09:24:28", "id": "126E1024546918D07264839DD88F2FF75D58789A0F611D0689966886112B533B", "href": "https://www.ibm.com/support/pages/node/6422665", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-24T05:45:05", "description": "## Summary\n\nThere are vulnerabilities in IBM WebSphere Application Server Liberty that affect Quality Manager (RQM)\n\n## Vulnerability Details\n\nRefer to the security bulletins(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nRQM| 6.0.6.1 \nRQM| 6.0.6 \nRQM| 6.0.2 \n \n\n\n## Remediation/Fixes\n\nThe IBM Jazz Team Server based Applications bundle different versions of IBM WebSphere Application Server with the available versions of the products, and in addition to the bundled version, some previous versions of WAS are also supported. Information about a security vulnerability affecting WAS has been published. \n\nFor CLM applications version 6.0 to 6.0.6.1 review the Security Bulletin below to determine if your WAS version is affected and the required remediation:\n\n[Security Bulletin: WebSphere Application Server Liberty is vulnerable to Cross-site Scripting (CVE-2019-4663) \n](<https://www.ibm.com/support/pages/node/1127367> \"Security Bulletin: WebSphere Application Server Liberty is vulnerable to Cross-site Scripting \$CVE-2019-4663\$\" )[ \n](<https://www.ibm.com/support/pages/node/1127367> \"Security Bulletin: WebSphere Application Server Liberty is vulnerable to Cross-site Scripting \$CVE-2019-4663\$\" )[Security Bulletin: WebSphere Application Server is vulnerable to Apache Commons Beanutils (CVE-2019-10086)](<https://www.ibm.com/support/pages/node/1115085> \"Security Bulletin: WebSphere Application Server is vulnerable to Apache Commons Beanutils \$CVE-2019-10086\$\" )\n\n[Security Bulletin: Swagger vulnerability affects WebSphere Application Server Liberty (CVE-2019-17495)](<https://www.ibm.com/support/pages/node/1274596> \"Security Bulletin: Swagger vulnerability affects WebSphere Application Server Liberty \$CVE-2019-17495\$\" )\n\n[Security Bulletin: WebSphere Application Server is vulnerable to a denial of service (CVE-2019-4720)](<https://www.ibm.com/support/pages/node/1285372> \"Security Bulletin: WebSphere Application Server is vulnerable to a denial of service \$CVE-2019-4720\$\" )\n\n[Security Bulletin: Information Disclosure in WebSphere Application Server Admin Console (CVE-2019-4670)](<https://www.ibm.com/support/pages/node/1289152> \"Security Bulletin: Information Disclosure in WebSphere Application Server Admin Console \$CVE-2019-4670\$\" )\n\n[Security Bulletin: WebSphere Application Server is vulnerable to a command execution vulnerability (CVE-2020-4163)](<https://www.ibm.com/support/pages/node/1288786> \"Security Bulletin: WebSphere Application Server is vulnerable to a command execution vulnerability \$CVE-2020-4163\$\" )\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-02-13T14:48:06", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in WebSphere Application Server Liberty affect IBM Jazz technology", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086", "CVE-2019-17495", "CVE-2019-4663", "CVE-2019-4670", "CVE-2019-4720", "CVE-2020-4163"], "modified": "2020-02-13T14:48:06", "id": "757696CF6B25D861147516A0233F27AA8ED63CE44EC3D079E6265FF809DBCB35", "href": "https://www.ibm.com/support/pages/node/2404011", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-24T05:45:04", "description": "## Summary\n\nThere are vulnerabilities in IBM WebSphere Application Server that affect Rational Team Concert (RTC).\n\n## Vulnerability Details\n\nRefer to the security bulletins(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nRTC| 6.0.2 \nRTC| 6.0.6.1 \nRTC| 6.0.6 \n \n\n\n## Remediation/Fixes\n\nThe IBM Jazz Team Server based Applications bundle different versions of IBM WebSphere Application Server with the available versions of the products, and in addition to the bundled version, some previous versions of WAS are also supported. Information about a security vulnerability affecting WAS has been published. \n\nFor CLM applications version 6.0 to 6.0.6.1 review the Security Bulletin below to determine if your WAS version is affected and the required remediation:\n\n[Security Bulletin: WebSphere Application Server Liberty is vulnerable to Cross-site Scripting (CVE-2019-4663) \n](<https://www.ibm.com/support/pages/node/1127367> \"Security Bulletin: WebSphere Application Server Liberty is vulnerable to Cross-site Scripting \$CVE-2019-4663\$\" )[ \n](<https://www.ibm.com/support/pages/node/1127367> \"Security Bulletin: WebSphere Application Server Liberty is vulnerable to Cross-site Scripting \$CVE-2019-4663\$\" )[Security Bulletin: WebSphere Application Server is vulnerable to Apache Commons Beanutils (CVE-2019-10086)](<https://www.ibm.com/support/pages/node/1115085> \"Security Bulletin: WebSphere Application Server is vulnerable to Apache Commons Beanutils \$CVE-2019-10086\$\" )\n\n[Security Bulletin: Swagger vulnerability affects WebSphere Application Server Liberty (CVE-2019-17495)](<https://www.ibm.com/support/pages/node/1274596> \"Security Bulletin: Swagger vulnerability affects WebSphere Application Server Liberty \$CVE-2019-17495\$\" )\n\n[Security Bulletin: WebSphere Application Server is vulnerable to a denial of service (CVE-2019-4720)](<https://www.ibm.com/support/pages/node/1285372> \"Security Bulletin: WebSphere Application Server is vulnerable to a denial of service \$CVE-2019-4720\$\" )\n\n[Security Bulletin: Information Disclosure in WebSphere Application Server Admin Console (CVE-2019-4670)](<https://www.ibm.com/support/pages/node/1289152> \"Security Bulletin: Information Disclosure in WebSphere Application Server Admin Console \$CVE-2019-4670\$\" )\n\n[Security Bulletin: WebSphere Application Server is vulnerable to a command execution vulnerability (CVE-2020-4163)](<https://www.ibm.com/support/pages/node/1288786> \"Security Bulletin: WebSphere Application Server is vulnerable to a command execution vulnerability \$CVE-2020-4163\$\" )\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-02-13T14:46:11", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in WebSphere Application Server Liberty affect IBM Jazz technology", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086", "CVE-2019-17495", "CVE-2019-4663", "CVE-2019-4670", "CVE-2019-4720", "CVE-2020-4163"], "modified": "2020-02-13T14:46:11", "id": "1C1678518312F18585D48228E2C4D89CBF458CAF1277708839EA38E32D0F11E3", "href": "https://www.ibm.com/support/pages/node/2404005", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-27T21:54:38", "description": "## Summary\n\nSecurity vulnerability in IBM WebSphere Application Server affects IBM Voice Gateway\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2020-4421](<https://vulners.com/cve/CVE-2020-4421>) \n** DESCRIPTION: **IBM WebSphere Application Liberty 19.0.0.5 through 20.0.0.4 could allow an authenticated user using openidconnect to spoof another users identify. IBM X-Force ID: 180084. \nCVSS Base score: 5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/180084](<https://exchange.xforce.ibmcloud.com/vulnerabilities/180084>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2020-4303](<https://vulners.com/cve/CVE-2020-4303>) \n** DESCRIPTION: **IBM WebSphere Application Server - Liberty 17.0.0.3 through 20.0.0.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 176668. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/176668](<https://exchange.xforce.ibmcloud.com/vulnerabilities/176668>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2020-4304](<https://vulners.com/cve/CVE-2020-4304>) \n** DESCRIPTION: **IBM WebSphere Application Server - Liberty 17.0.0.3 through 20.0.0.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 176670. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/176670](<https://exchange.xforce.ibmcloud.com/vulnerabilities/176670>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2019-12406](<https://vulners.com/cve/CVE-2019-12406>) \n** DESCRIPTION: **Apache CXF is vulnerable to a denial of service, caused by the failure to restrict the number of message attachments present in a given message. By sending a specially-crafted message containing an overly large number of message attachments, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/170974](<https://exchange.xforce.ibmcloud.com/vulnerabilities/170974>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2019-17495](<https://vulners.com/cve/CVE-2019-17495>) \n** DESCRIPTION: **Swagger UI could allow a remote attacker to obtain sensitive information, caused by a CSS injection flaw. By using the relative path overwrite (RPO) attack technique, an attacker could exploit this vulnerability to obtain sensitive information. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/169050](<https://exchange.xforce.ibmcloud.com/vulnerabilities/169050>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2020-4329](<https://vulners.com/cve/CVE-2020-4329>) \n** DESCRIPTION: **IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0 and Liberty 17.0.0.3 through 20.0.0.4 could allow a remote, authenticated attacker to obtain sensitive information, caused by improper parameter checking. This could be exploited to conduct spoofing attacks. IBM X-Force ID: 177841. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/177841](<https://exchange.xforce.ibmcloud.com/vulnerabilities/177841>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nVoice Gateway| 1.0.2 \nVoice Gateway| 1.0.2.4 \nVoice Gateway| 1.0.3 \nVoice Gateway| 1.0.4 \nVoice Gateway| 1.0.5 \n \n\n\n## Remediation/Fixes\n\nUpgrade to IBM Voice Gateway 1.0.6\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-06-19T23:02:20", "type": "ibm", "title": "Security Bulletin: Security vulnerability in IBM WebSphere Application Server affects IBM Voice Gateway", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-12406", "CVE-2019-17495", "CVE-2020-4303", "CVE-2020-4304", "CVE-2020-4329", "CVE-2020-4421"], "modified": "2020-06-19T23:02:20", "id": "A2924B4DE05BD5A9DE02BD29915404543555C0C4AAE9016A5C570D5EE0CB6EA6", "href": "https://www.ibm.com/support/pages/node/6236448", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-27T21:54:38", "description": "## Summary\n\nIn the WebSphere Application Server Admin console, where the Rational Asset Manager is deployed, vulnerabilities such as privilege escalation, denial of service, command execution, code execution and Information Disclosure are observed. Information about these security vulnerability affecting WebSphere Application Server is published in the respective security bulletins.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nIBM Rational Asset Manager 7.5 .1, 7.5.2.x, 7.5.3.x, and 7.5.4.x.\n\nNOTE: Rational Asset Manager 7.5.2 and later versions does not support embedded WebSphere Application Server.\n\n## Remediation/Fixes\n\nRefer to the following security bulletin for vulnerability details and information about fixes addressed by IBM WebSphere Application Server (WAS). **Affected Supporting Product** | **Affected Supporting Product Security Bulletin** \n---|--- \nIBM WebSphere Application Server Version 7.0, 8.0, 8.5, and 9.0. | [Security Bulletin: WebSphere Application Server is vulnerable to a denial of service (CVE-2019-4720)](<https://www.ibm.com/support/pages/security-bulletin-websphere-application-server-vulnerable-denial-service-cve-2019-4720> \"Security Bulletin: WebSphere Application Server is vulnerable to a denial of service \$CVE-2019-4720\$\" ) \n[Security Bulletin: Privilege Escalation Vulnerability in WebSphere Application Server (CVE-2020-4276)](<https://www.ibm.com/support/pages/security-bulletin-privilege-escalation-vulnerability-websphere-application-server-cve-2020-4276> \"Security Bulletin: Privilege Escalation Vulnerability in WebSphere Application Server \$CVE-2020-4276\$\" ) \n[Security Bulletin: WebSphere Application Server is vulnerable to a command execution vulnerability (CVE-2020-4163)](<https://www.ibm.com/support/pages/security-bulletin-websphere-application-server-vulnerable-command-execution-vulnerability-cve-2020-4163> \"Security Bulletin: WebSphere Application Server is vulnerable to a command execution vulnerability \$CVE-2020-4163\$\" ) \n[Security Bulletin: WebSphere Application Server is vulnerable to an information exposure vulnerability (CVE-2020-4449)](<https://www.ibm.com/support/pages/security-bulletin-websphere-application-server-vulnerable-information-exposure-vulnerability-cve-2020-4449> \"Security Bulletin: WebSphere Application Server is vulnerable to an information exposure vulnerability \$CVE-2020-4449\$\" ) \n[Security Bulletin: Remote code execution vulnerability in WebSphere Application Server ND (CVE-2020-4448)](<https://www.ibm.com/support/pages/security-bulletin-remote-code-execution-vulnerability-websphere-application-server-nd-cve-2020-4448> \"Security Bulletin: Remote code execution vulnerability in WebSphere Application Server ND \$CVE-2020-4448\$\" ) \n[Security Bulletin: Information disclosure in WebSphere Application Server (CVE-2020-4329)](<https://www.ibm.com/support/pages/security-bulletin-information-disclosure-websphere-application-server-cve-2020-4329> \"Security Bulletin: Information disclosure in WebSphere Application Server \$CVE-2020-4329\$\" ) \n \n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-06-20T06:09:39", "type": "ibm", "title": "Security Bulletin: Security vulnerability is identified in the WebSphere Application Server where the Rational Asset Manager is deployed", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-4720", "CVE-2020-4163", "CVE-2020-4276", "CVE-2020-4329", "CVE-2020-4448", "CVE-2020-4449"], "modified": "2020-06-20T06:09:39", "id": "929D837DD9C3EA90C20AF84418A0A2BB1D61BFBA6F69A8B90EB5479898403F5C", "href": "https://www.ibm.com/support/pages/node/6236710", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-27T21:48:48", "description": "## Summary\n\nVulnerabilities in IBM\u00ae Runtime Environment Java\u2122, IBM WebSphere Application Server Liberty, and Apache Commons affect IBM Spectrum Protect Operations Center and IBM Spectrum Protect Client Management Service. The Java vulnerabilities were disclosed as part of the IBM Java SDK updates in January 2020, April 2020, and July 2020.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2020-4329](<https://vulners.com/cve/CVE-2020-4329>) \n** DESCRIPTION: **IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0 and Liberty 17.0.0.3 through 20.0.0.4 could allow a remote, authenticated attacker to obtain sensitive information, caused by improper parameter checking. This could be exploited to conduct spoofing attacks. IBM X-Force ID: 177841. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/177841](<https://exchange.xforce.ibmcloud.com/vulnerabilities/177841>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2020-2654](<https://vulners.com/cve/CVE-2020-2654>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Java SE Libraries component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/174601](<https://exchange.xforce.ibmcloud.com/vulnerabilities/174601>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2020-2781](<https://vulners.com/cve/CVE-2020-2781>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Java SE JSSE component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/179681](<https://exchange.xforce.ibmcloud.com/vulnerabilities/179681>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2020-14579](<https://vulners.com/cve/CVE-2020-14579>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/185057](<https://exchange.xforce.ibmcloud.com/vulnerabilities/185057>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2020-14578](<https://vulners.com/cve/CVE-2020-14578>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/185056](<https://exchange.xforce.ibmcloud.com/vulnerabilities/185056>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2020-14577](<https://vulners.com/cve/CVE-2020-14577>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the JSSE component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/185055](<https://exchange.xforce.ibmcloud.com/vulnerabilities/185055>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** Third Party Entry: **177835 \n** DESCRIPTION: **Apache Commons Codec information disclosure \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [https://exchange.xforce.ibmcloud.com/vulnerabilities/177835 ](<https://exchange.xforce.ibmcloud.com/vulnerabilities/177835>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n## Affected Products and Versions\n\n**Affected Product(s)**| **Version(s)** \n---|--- \nIBM Spectrum Protect Operations Center| 8.1.0.000-8.1.10.xxx \n7.1.0.000-7.1.11.xxx \nIBM Spectrum Protect Client Management Service (CMS)| 8.1.0.000-8.1.10.xxx \n7.1.0.000-7.1.11.xxx \n \n\n\n## Remediation/Fixes\n\n**IBM Spectrum Protect** \n**Operations Center Release**| **First Fixing** \n**VRM Level**| **Platform**| **Link to Fix** \n---|---|---|--- \n8.1| 8.1.11.000| AIX \nLinux \nWindows| <http://www.ibm.com/support/pages/node/6368263> \n7.1| 7.1.12.000| AIX \nLinux \nWindows| <https://www.ibm.com/support/pages/node/6368245> \nNote that the Apache Commons vulnerability (Third Party Entry 177835) \ndoes not affect the 7.1 release. \n \n**IBM Spectrum Protect** \n**Client Management Service Release**| **First Fixing** \n**VRM Level**| **Platform**| **Link to Fix** \n---|---|---|--- \n8.1| 8.1.11.000| Linux \nWindows| \n\n[https://public.dhe.ibm.com/storage/tivoli-storage-management/maintenance/cms/v8r1](<https://public.dhe.ibm.com/storage/tivoli-storage-management/maintenance/cms/v8r1/> \"\" ) \nNote that the Apache Commons vulnerability (Third Party Entry 177835) \ndoes not affect the 8.1 release. \n \n7.1| 7.1.12.000| Linux \nWindows| \n\n[https://public.dhe.ibm.com/storage/tivoli-storage-management/maintenance/cms/v7r1](<https://public.dhe.ibm.com/storage/tivoli-storage-management/maintenance/cms/v7r1/> \"\" ) \nNote that the Apache Commons vulnerability (Third Party Entry 177835) \ndoes not affect the 7.1 release. \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2020-11-20T23:56:21", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in IBM Java Runtime, IBM WebSphere Application Server Liberty, and Apache Commons affect IBM Spectrum Protect Operations Center and IBM Spectrum Protect Client Management Service", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14577", "CVE-2020-14578", "CVE-2020-14579", "CVE-2020-2654", "CVE-2020-2781", "CVE-2020-4329"], "modified": "2020-11-20T23:56:21", "id": "A8B1328EDAD509E1D76C6016AE0790BC81F18C61790542709096AA8E663BAEC6", "href": "https://www.ibm.com/support/pages/node/6369171", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-06-05T17:59:01", "description": "## Summary\n\nVulnerabilities in IBM WebSphere Application Server Liberty, IBM Runtime Environment Java, Log4j, and Apache Commons affect IBM Spectrum Protect Snapshot for VMware. The IBM Runtime Environment Java vulnerabilities were disclosed as part of the IBM Java SDK updates in April and July 2020.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2020-4329](<https://vulners.com/cve/CVE-2020-4329>) \n** DESCRIPTION: **IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0 and Liberty 17.0.0.3 through 20.0.0.4 could allow a remote, authenticated attacker to obtain sensitive information, caused by improper parameter checking. This could be exploited to conduct spoofing attacks. IBM X-Force ID: 177841. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/177841](<https://exchange.xforce.ibmcloud.com/vulnerabilities/177841>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2020-2781](<https://vulners.com/cve/CVE-2020-2781>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Java SE JSSE component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/179681](<https://exchange.xforce.ibmcloud.com/vulnerabilities/179681>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2020-9488](<https://vulners.com/cve/CVE-2020-9488>) \n** DESCRIPTION: **Apache Log4j is vulnerable to a man-in-the-middle attack, caused by improper certificate validation with host mismatch in the SMTP appender. An attacker could exploit this vulnerability to launch a man-in-the-middle attack and gain access to the communication channel between endpoints to obtain sensitive information or further compromise the system. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/180824](<https://exchange.xforce.ibmcloud.com/vulnerabilities/180824>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2019-17571](<https://vulners.com/cve/CVE-2019-17571>) \n** DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by improper deserialization of untrusted data in SocketServer. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/173314](<https://exchange.xforce.ibmcloud.com/vulnerabilities/173314>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-14579](<https://vulners.com/cve/CVE-2020-14579>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/185057](<https://exchange.xforce.ibmcloud.com/vulnerabilities/185057>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2020-14578](<https://vulners.com/cve/CVE-2020-14578>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/185056](<https://exchange.xforce.ibmcloud.com/vulnerabilities/185056>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2020-14577](<https://vulners.com/cve/CVE-2020-14577>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the JSSE component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/185055](<https://exchange.xforce.ibmcloud.com/vulnerabilities/185055>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** Third Party Entry: **177835 \n** DESCRIPTION: **Apache Commons Codec information disclosure \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [https://exchange.xforce.ibmcloud.com/vulnerabilities/177835 ](<https://exchange.xforce.ibmcloud.com/vulnerabilities/177835>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n## Affected Products and Versions\n\n**Affected Product(s)**| **Version(s)** \n---|--- \nIBM Spectrum Protect Snapshot for VMware| 4.1.0.0-4.1.6.10 \n \n## Remediation/Fixes\n\n**_IBM Spectrum Protect Snapshot \nfor VMware Release_**| **_First Fixing \nVRM Level_**| **_Platform_**| **_Link to Fix_** \n---|---|---|--- \n4.1| 4.1.6.11| Linux| <https://www.ibm.com/support/pages/node/6405750> \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-01T11:37:31", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in IBM WebSphere Application Server Liberty, IBM Java Runtime, Log4j, and Apache Commons affect IBM Spectrum Protect Snapshot for VMware", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17571", "CVE-2020-14577", "CVE-2020-14578", "CVE-2020-14579", "CVE-2020-2781", "CVE-2020-4329", "CVE-2020-9488"], "modified": "2022-02-01T11:37:31", "id": "E2B86254D720126A86E0D868B69F73304F67BBA828605033D214DA145B7078F4", "href": "https://www.ibm.com/support/pages/node/6405944", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-27T21:51:44", "description": "## Summary\n\nIBM WebSphere Application Server (WAS) is shipped with IBM Tivoli Federated Identity Manager. Information about security vulnerabilities affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Tivoli Federated Identity Manager| All \n \n\n\n## Remediation/Fixes\n\nPrincipal Product and Version(s)| Affected Supporting Product and Version(s)| Affected Supporting Product Security Bulletin \n---|---|--- \nIBM Tivoli Federated Identity Manager. ALL versions| WAS is vulnerable to a DOS \nWAS traditional versions 9.0, 8.5, 8.0 and 7.0 \nWAS liberty| [Security Bulletin: WebSphere Application Server is vulnerable to a denial of service(CVE-2019-4720)](<https://www.ibm.com/support/pages/node/1285372> \"Security Bulletin: WebSphere Application Server is vulnerable to a denial of service\$CVE-2019-4720\$\" ) \nIBM Tivoli Federated Identity Manager. ALL versions | \n\nWAS 9.0, 8.5, 8.0 and 7.0\n\n| \n\n[Security Bulletin: WebSphere Application Server is vulnerable to command execution vulnerability(CVE-2020-4163) \n](<https://www.ibm.com/support/pages/node/1288786> \"Security Bulletin: WebSphere Application Server is vulnerable to an information exposure vulnerability \$CVE-2020-4449\$\" )[ \n](<https://www.ibm.com/support/pages/node/1285372> \"Security Bulletin: WebSphere Application Server is vulnerable to an information exposure vulnerability \$CVE-2020-4449\$\" ) \n \nIBM Tivoli Federated Identity Manager. ALL versions\n\n| \n\nWAS traditional versions 9.0, 8.5, 8.0 and 7.0\n\n| \n\n[Security Bulletin: IBM WebSphere Application Server traditional is vulnerable to a privilege escalation vulnerability (CVE-2020-4276)](<https://www.ibm.com/support/pages/node/6118222> \"Security Bulletin: IBM WebSphere Application Server traditional is vulnerable to a privilege escalation vulnerability \$CVE-2020-4276\$\" ) \n \nIBM Tivoli Federated Identity Manager. ALL versions\n\n| \n\nWAS traditional versions 9.0, 8.5, 8.0 and 7.0\n\n| \n\n[Security Bulletin: WebSphere Application Server traditional is vulnerable to a privilege escalation vulnerability(CVE-2020-4362)](<https://www.ibm.com/support/pages/node/6174417> \"Security Bulletin: WebSphere Application Server traditional is vulnerable to a privilege escalation vulnerability\$CVE-2020-4362\$\" ) \n \nIBM Tivoli Federated Identity Manager. ALL versions\n\n| \n\nWAS traditional versions 9.0, 8.5\n\n| \n\n[Security Bulletin:WebSphere Application Server traditional is vulnerable to a Remote Command Execution vulnerability.(CVE-2020-4450)](<https://www.ibm.com/support/pages/node/6220294> \"Security Bulletin:WebSphere Application Server traditional is vulnerable to a Remote Command Execution vulnerability.\$CVE-2020-4450\$\" ) \n \nIBM Tivoli Federated Identity Manager. ALL versions\n\n| \n\nWAS ND traditional 8.5 and 9.0\n\nWebSphere Virtual Enterprise Edition V7.0 and V8.0\n\n| \n\n[Security Bulletin:Remote code execution vulnerability in WebSphere Application Server ND(CVE-2020-4448)](<https://www.ibm.com/support/pages/node/6220336> \"Security Bulletin:Remote code execution vulnerability in WebSphere Application Server ND\$CVE-2020-4448\$\" ) \n \nIBM Tivoli Federated Identity Manager. ALL versions\n\n| \n\nWAS 9.0, 8.5, 8.0 and 7.0\n\nWAS liberty\n\n| \n\n[Security Bulletin:Information disclosure in WebSphere Application Server(CVE-2020-4329)](<https://www.ibm.com/support/pages/node/6201862> \"Security Bulletin:Information disclosure in WebSphere Application Server\$CVE-2020-4329\$\" ) \n \nIBM Tivoli Federated Identity Manager. ALL versions\n\n| \n\nWAS traditional 7.0, 8.0, 8.5 and 9.0\n\n| \n\n[Security Bulletin:WebSphere Application Server traditional is vulnerable to a Information Disclosure vulnerability(CVE-2020-4449)](<https://www.ibm.com/support/pages/node/6220296> \"Security Bulletin:WebSphere Application Server traditional is vulnerable to a Information Disclosure vulnerability\$CVE-2020-4449\$\" ) \n \nIBM Tivoli Federated Identity Manager. ALL versions\n\n| \n\nWAS traditional version 8.5\n\n| \n\n[Security Bulletin:WebSphere Application Server traditional is vulnerable to a server-side request forgery vulnerability(CVE-2020-4365)](<https://www.ibm.com/support/pages/node/6209099> \"Security Bulletin:WebSphere Application Server traditional is vulnerable to a server-side request forgery vulnerability\$CVE-2020-4365\$\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-08-25T23:55:00", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities have been identified in IBM WebSphere Application Server shipped with IBM Tivoli Federated Identity Manager", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-4720", "CVE-2020-4163", "CVE-2020-4276", "CVE-2020-4329", "CVE-2020-4362", "CVE-2020-4365", "CVE-2020-4448", "CVE-2020-4449", "CVE-2020-4450"], "modified": "2020-08-25T23:55:00", "id": "DD1E4FBBDF4FA000EDF2E286A05EA634208DB4377C6B455CD048AACE3C0B8023", "href": "https://www.ibm.com/support/pages/node/6322705", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-27T21:47:52", "description": "## Summary\n\nMultiple Vulnerabilities in Websphere Liberty server (WLP) affects IBM Cloud Application Business Insights\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-4720](<https://vulners.com/cve/CVE-2019-4720>) \n** DESCRIPTION: **IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to a denial of service, caused by sending a specially-crafted request. A remote attacker could exploit this vulnerability to cause the server to consume all available memory. IBM X-Force ID: 172125. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/172125](<https://exchange.xforce.ibmcloud.com/vulnerabilities/172125>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2019-17573](<https://vulners.com/cve/CVE-2019-17573>) \n** DESCRIPTION: **Apache CXF is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the services listing page. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/174689](<https://exchange.xforce.ibmcloud.com/vulnerabilities/174689>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2019-12406](<https://vulners.com/cve/CVE-2019-12406>) \n** DESCRIPTION: **Apache CXF is vulnerable to a denial of service, caused by the failure to restrict the number of message attachments present in a given message. By sending a specially-crafted message containing an overly large number of message attachments, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/170974](<https://exchange.xforce.ibmcloud.com/vulnerabilities/170974>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2020-4421](<https://vulners.com/cve/CVE-2020-4421>) \n** DESCRIPTION: **IBM WebSphere Application Liberty 19.0.0.5 through 20.0.0.4 could allow an authenticated user using openidconnect to spoof another users identify. IBM X-Force ID: 180084. \nCVSS Base score: 5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/180084](<https://exchange.xforce.ibmcloud.com/vulnerabilities/180084>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2019-17495](<https://vulners.com/cve/CVE-2019-17495>) \n** DESCRIPTION: **Swagger UI could allow a remote attacker to obtain sensitive information, caused by a CSS injection flaw. By using the relative path overwrite (RPO) attack technique, an attacker could exploit this vulnerability to obtain sensitive information. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/169050](<https://exchange.xforce.ibmcloud.com/vulnerabilities/169050>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2019-4663](<https://vulners.com/cve/CVE-2019-4663>) \n** DESCRIPTION: **IBM WebSphere Application Server - Liberty is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 171245. \nCVSS Base score: 5.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/171245](<https://exchange.xforce.ibmcloud.com/vulnerabilities/171245>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2020-4329](<https://vulners.com/cve/CVE-2020-4329>) \n** DESCRIPTION: **IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0 and Liberty 17.0.0.3 through 20.0.0.4 could allow a remote, authenticated attacker to obtain sensitive information, caused by improper parameter checking. This could be exploited to conduct spoofing attacks. IBM X-Force ID: 177841. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/177841](<https://exchange.xforce.ibmcloud.com/vulnerabilities/177841>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2020-4303](<https://vulners.com/cve/CVE-2020-4303>) \n** DESCRIPTION: **IBM WebSphere Application Server - Liberty 17.0.0.3 through 20.0.0.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 176668. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/176668](<https://exchange.xforce.ibmcloud.com/vulnerabilities/176668>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2020-4304](<https://vulners.com/cve/CVE-2020-4304>) \n** DESCRIPTION: **IBM WebSphere Application Server - Liberty 17.0.0.3 through 20.0.0.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 176670. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/176670](<https://exchange.xforce.ibmcloud.com/vulnerabilities/176670>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Cloud Application Business Insights| 1.1.4, 1.1.3 \n \n\n\n## Remediation/Fixes\n\nThe Vulnerabilities can be remediated by applying the ICABI FixPack 1.1.4.2 to all systems where IBM Cloud Application Business Insights version 1.1.4 is installed. \n\nThe Vulnerabilities can be remediated by applying the ICABI FixPack 1.1.3.1 to all systems where IBM Cloud Application Business Insights version 1.1.3 is installed. \n\nThe fixes can be found at the following location- \n\nDownload Description | Download Link (Fix Central) \n---|--- \n1.1.4.2 Fix Pack| [http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FIBM+Cloud+App+Management&fixids=ICABI_1.1.4._FP2&source=SAR](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FIBM+Cloud+App+Management&fixids=ICABI_1.1.4._FP2&source=SAR>) \n1.1.3.1 Fix Pack| \n\n[http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FIBM+Cloud+App+Management&fixids=ICABI_template.xml&source=SAR](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FIBM+Cloud+App+Management&fixids=ICABI_template.xml&source=SAR>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-12-22T06:06:23", "type": "ibm", "title": "Security Bulletin: Multiple Vulnerabilities in Websphere Liberty server (WLP) affects IBM Cloud Application Business Insights", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-12406", "CVE-2019-17495", "CVE-2019-17573", "CVE-2019-4663", "CVE-2019-4720", "CVE-2020-4303", "CVE-2020-4304", "CVE-2020-4329", "CVE-2020-4421"], "modified": "2020-12-22T06:06:23", "id": "54E686FBB2E60A0BDEAB59EFECEB36D61C77A784661FD44124BD8864158EE317", "href": "https://www.ibm.com/support/pages/node/6391590", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-27T21:47:27", "description": "## Summary\n\nThere are vulnerabilities in IBM WebSphere Liberty used by IBM Waston Machine Learning Accelerator 1.2.2, and IBM Waston Machine Learning Accelerator 2.2.0 have addressed the applicable CVE.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-4663](<https://vulners.com/cve/CVE-2019-4663>) \n** DESCRIPTION: **IBM WebSphere Application Server - Liberty is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 171245. \nCVSS Base score: 5.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/171245](<https://exchange.xforce.ibmcloud.com/vulnerabilities/171245>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2019-17495](<https://vulners.com/cve/CVE-2019-17495>) \n** DESCRIPTION: **Swagger UI could allow a remote attacker to obtain sensitive information, caused by a CSS injection flaw. By using the relative path overwrite (RPO) attack technique, an attacker could exploit this vulnerability to obtain sensitive information. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/169050](<https://exchange.xforce.ibmcloud.com/vulnerabilities/169050>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2020-4329](<https://vulners.com/cve/CVE-2020-4329>) \n** DESCRIPTION: **IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0 and Liberty 17.0.0.3 through 20.0.0.4 could allow a remote, authenticated attacker to obtain sensitive information, caused by improper parameter checking. This could be exploited to conduct spoofing attacks. IBM X-Force ID: 177841. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/177841](<https://exchange.xforce.ibmcloud.com/vulnerabilities/177841>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2019-4720](<https://vulners.com/cve/CVE-2019-4720>) \n** DESCRIPTION: **IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to a denial of service, caused by sending a specially-crafted request. A remote attacker could exploit this vulnerability to cause the server to consume all available memory. IBM X-Force ID: 172125. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/172125](<https://exchange.xforce.ibmcloud.com/vulnerabilities/172125>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2019-17573](<https://vulners.com/cve/CVE-2019-17573>) \n** DESCRIPTION: **Apache CXF is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the services listing page. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/174689](<https://exchange.xforce.ibmcloud.com/vulnerabilities/174689>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2019-12406](<https://vulners.com/cve/CVE-2019-12406>) \n** DESCRIPTION: **Apache CXF is vulnerable to a denial of service, caused by the failure to restrict the number of message attachments present in a given message. By sending a specially-crafted message containing an overly large number of message attachments, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/170974](<https://exchange.xforce.ibmcloud.com/vulnerabilities/170974>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2020-4421](<https://vulners.com/cve/CVE-2020-4421>) \n** DESCRIPTION: **IBM WebSphere Application Liberty 19.0.0.5 through 20.0.0.4 could allow an authenticated user using openidconnect to spoof another users identify. IBM X-Force ID: 180084. \nCVSS Base score: 5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/180084](<https://exchange.xforce.ibmcloud.com/vulnerabilities/180084>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2020-4303](<https://vulners.com/cve/CVE-2020-4303>) \n** DESCRIPTION: **IBM WebSphere Application Server - Liberty 17.0.0.3 through 20.0.0.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 176668. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/176668](<https://exchange.xforce.ibmcloud.com/vulnerabilities/176668>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2020-4304](<https://vulners.com/cve/CVE-2020-4304>) \n** DESCRIPTION: **IBM WebSphere Application Server - Liberty 17.0.0.3 through 20.0.0.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 176670. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/176670](<https://exchange.xforce.ibmcloud.com/vulnerabilities/176670>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Watson Machine Learning Accelerator| 1.2.2 \n \n\n\n## Remediation/Fixes\n\nProduct(s)| Version(s)| APAR| Remediation/Fixes \n---|---|---|--- \nIBM Watson Machine Learning Accelerator| 1.2.2 \n| None| [sc-2.4.1-build545138](<http://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Other+software/IBM+Spectrum+Conductor+with+Spark&release=All&platform=All&function=fixId&fixids=sc-2.4.1-build545138&includeSupersedes=0> \"sc-2.4.1-build545138\" )\n\n[sc-2.4.1-build566592](<http://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Other+software/IBM+Spectrum+Conductor+with+Spark&release=All&platform=All&function=fixId&fixids=sc-2.4.1-build566592&includeSupersedes=0> \"sc-2.4.1-build566592\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-18T07:09:53", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in IBM WebSphere Liberty affects IBM Waston Machine Learning Accelerator", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-12406", "CVE-2019-17495", "CVE-2019-17573", "CVE-2019-4663", "CVE-2019-4720", "CVE-2020-4303", "CVE-2020-4304", "CVE-2020-4329", "CVE-2020-4421"], "modified": "2021-01-18T07:09:53", "id": "02FD10030B8366010758D75673B2286A0CD064A8561853F6F314CF7B7BC8B298", "href": "https://www.ibm.com/support/pages/node/6405740", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-24T05:44:36", "description": "## Summary\n\nIBM WebSphere Application Server (WAS) is shipped with IBM Security Identity Manager (ISIM). Information about security vulnerabilities affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletins(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s) | Version(s) \n---|--- \nISIM | 6.0.0 \nISIM | 6.0.2 \n \n## Remediation/Fixes\n\nPrincipal Product and Version(s) | Affected Supporting Product and Version(s) | Affected Supporting Product Security Bulletin \n---|---|--- \nISIM 6.0.0 | WAS 7.0, 8.0, 8.5 | [Security Bulletin: Path traversal vulnerability in WebSphere Application Server Admin Console (CVE-2019-4442)](<https://www.ibm.com/support/pages/node/959021> \"Security Bulletin: Path traversal vulnerability in WebSphere Application Server Admin Console \$CVE-2019-4442\$\" ) \n[Security Bulletin: File traversal vulnerability in WebSphere Application Server Admin Console (CVE-2019-4268)](<https://www.ibm.com/support/pages/node/884030> \"Security Bulletin: File traversal vulnerability in WebSphere Application Server Admin Console \$CVE-2019-4268\$\" ) \n[Security Bulletin: Cross-site scripting vulnerability in WebSphere Application Server Admin Console (CVE-2019-4270)](<https://www.ibm.com/support/pages/node/884036> \"Security Bulletin: Cross-site scripting vulnerability in WebSphere Application Server Admin Console \$CVE-2019-4270\$\" ) \n[Security Bulletin: Information disclosure vulnerability in WebSphere Application Server (CVE-2019-4477)](<https://www.ibm.com/support/pages/node/960290> \"Security Bulletin: Information disclosure vulnerability in WebSphere Application Server \$CVE-2019-4477\$\" ) \n[Security Bulletin: Information disclosure vulnerability in WebSphere Application Server (CVE-2019-4441)](<https://www.ibm.com/support/pages/node/959023> \"Security Bulletin: Information disclosure vulnerability in WebSphere Application Server \$CVE-2019-4441\$\" ) \n[Security Bulletin: WebSphere Application Server is vulnerable to Apache Commons Beanutils (CVE-2019-10086)](<https://www.ibm.com/support/pages/node/1115085> \"Security Bulletin: WebSphere Application Server is vulnerable to Apache Commons Beanutils \$CVE-2019-10086\$\" ) \nISIM 6.0.0 | WAS 7.0, 8.5 | [Security Bulletin: HTTP Parameter Pollution and XSS vulnerability in WebSphere Application Server Admin Console ND (CVE-2019-4271)](<https://www.ibm.com/support/pages/node/884040> \"Security Bulletin: HTTP Parameter Pollution and XSS vulnerability in WebSphere Application Server Admin Console ND \$CVE-2019-4271\$\" ) \n \nISIM 6.0.0 \n\nISIM 6.0.2\n\n| \n\nWAS 7.0, 8.0, 8.5\n\nWAS 9\n\n| [Security Bulletin: WebSphere Application Server is vulnerable to a denial of service (CVE-2019-4720)](<https://www.ibm.com/support/pages/node/1285372> \"Security Bulletin: WebSphere Application Server is vulnerable to a denial of service \$CVE-2019-4720\$\" ) \n[Security Bulletin: Information Disclosure in WebSphere Application Server Admin Console (CVE-2019-4670)](<https://www.ibm.com/support/pages/node/1289152> \"Security Bulletin: Information Disclosure in WebSphere Application Server Admin Console \$CVE-2019-4670\$\" ) \n[Security Bulletin: WebSphere Application Server is vulnerable to a command execution vulnerability (CVE-2020-4163)](<https://www.ibm.com/support/pages/node/1288786> \"Security Bulletin: WebSphere Application Server is vulnerable to a command execution vulnerability \$CVE-2020-4163\$\" ) \nISIM 6.0.2 | WAS 9 | [Security Bulletin: Vulnerability in Apache CXF affects WebSphere Application Server (CVE-2019-12406)](<https://www.ibm.com/support/pages/node/1288774> \"Security Bulletin: Vulnerability in Apache CXF affects WebSphere Application Server \$CVE-2019-12406\$\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-02-21T05:30:45", "type": "ibm", "title": "Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server shipped with IBM Security Identity Manager", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086", "CVE-2019-12406", "CVE-2019-4268", "CVE-2019-4270", "CVE-2019-4271", "CVE-2019-4441", "CVE-2019-4442", "CVE-2019-4477", "CVE-2019-4670", "CVE-2019-4720", "CVE-2020-4163"], "modified": "2020-02-21T05:30:45", "id": "ACDFCA5E93908C1CC35E54B4EF854ED57BCD6CD2641A3590CD2418E8BCA917EA", "href": "https://www.ibm.com/support/pages/node/2868303", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "openvas": [{"lastseen": "2020-01-29T19:29:15", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2019-08-26T00:00:00", "type": "openvas", "title": "Debian LTS: Security Advisory for commons-beanutils (DLA-1896-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-10086"], "modified": "2020-01-29T00:00:00", "id": "OPENVAS:1361412562310891896", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310891896", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.891896\");\n script_version(\"2020-01-29T08:22:52+0000\");\n script_cve_id(\"CVE-2019-10086\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-29 08:22:52 +0000 (Wed, 29 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-08-26 02:00:07 +0000 (Mon, 26 Aug 2019)\");\n script_name(\"Debian LTS: Security Advisory for commons-beanutils (DLA-1896-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2019/08/msg00030.html\");\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/DLA-1896-1\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'commons-beanutils'\n package(s) announced via the DLA-1896-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"It was discovered that there was a remote arbitrary code\nvulnerability in commons-beanutils, a set of utilities for\nmanipulating JavaBeans code.\");\n\n script_tag(name:\"affected\", value:\"'commons-beanutils' package(s) on Debian Linux.\");\n\n script_tag(name:\"solution\", value:\"For Debian 8 'Jessie', this issue has been fixed in commons-beanutils\nversion 1.9.2-1+deb8u1.\n\nWe recommend that you upgrade your commons-beanutils packages.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"libcommons-beanutils-java\", ver:\"1.9.2-1+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libcommons-beanutils-java-doc\", ver:\"1.9.2-1+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n\nexit(0);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-14T14:49:22", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2020-01-09T00:00:00", "type": "openvas", "title": "Fedora Update for apache-commons-beanutils FEDORA-2019-bcad44b5d6", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-10086"], "modified": "2020-01-13T00:00:00", "id": "OPENVAS:1361412562310877152", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310877152", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.877152\");\n script_version(\"2020-01-13T11:49:13+0000\");\n script_cve_id(\"CVE-2019-10086\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-13 11:49:13 +0000 (Mon, 13 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-09 07:28:54 +0000 (Thu, 09 Jan 2020)\");\n script_name(\"Fedora Update for apache-commons-beanutils FEDORA-2019-bcad44b5d6\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC31\");\n\n script_xref(name:\"FEDORA\", value:\"2019-bcad44b5d6\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4APPGLBWMFAS4WHNLR4LIJ65DJGPV7TF\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'apache-commons-beanutils'\n package(s) announced via the FEDORA-2019-bcad44b5d6 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The scope of this package is to create a package of Java utility methods\nfor accessing and modifying the properties of arbitrary JavaBeans. No\ndependencies outside of the JDK are required, so the use of this package\nis very lightweight.\");\n\n script_tag(name:\"affected\", value:\"'apache-commons-beanutils' package(s) on Fedora 31.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC31\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"apache-commons-beanutils\", rpm:\"apache-commons-beanutils~1.9.4~1.fc31\", rls:\"FC31\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-30T16:44:09", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2020-01-29T00:00:00", "type": "openvas", "title": "CentOS: Security Advisory for apache-commons-beanutils (CESA-2020:0194)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-10086"], "modified": "2020-01-30T00:00:00", "id": "OPENVAS:1361412562310883171", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310883171", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.883171\");\n script_version(\"2020-01-30T08:15:08+0000\");\n script_cve_id(\"CVE-2019-10086\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-30 08:15:08 +0000 (Thu, 30 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-29 04:01:10 +0000 (Wed, 29 Jan 2020)\");\n script_name(\"CentOS: Security Advisory for apache-commons-beanutils (CESA-2020:0194)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS7\");\n\n script_xref(name:\"CESA\", value:\"2020:0194\");\n script_xref(name:\"URL\", value:\"https://lists.centos.org/pipermail/centos-announce/2020-January/035618.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'apache-commons-beanutils'\n package(s) announced via the CESA-2020:0194 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The Apache Commons BeanUtils library provides utility methods for accessing\nand modifying properties of arbitrary JavaBeans.\n\nSecurity Fix(es):\n\n * apache-commons-beanutils: does not suppresses the class property in\nPropertyUtilsBean by default (CVE-2019-10086)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s) listed in the References section.\");\n\n script_tag(name:\"affected\", value:\"'apache-commons-beanutils' package(s) on CentOS 7.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"CentOS7\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"apache-commons-beanutils\", rpm:\"apache-commons-beanutils~1.8.3~15.el7_7\", rls:\"CentOS7\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"apache-commons-beanutils-javadoc\", rpm:\"apache-commons-beanutils-javadoc~1.8.3~15.el7_7\", rls:\"CentOS7\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-31T16:47:33", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2019-09-03T00:00:00", "type": "openvas", "title": "openSUSE: Security Advisory for apache-commons-beanutils (openSUSE-SU-2019:2058-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-10086"], "modified": "2020-01-31T00:00:00", "id": "OPENVAS:1361412562310852686", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310852686", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.852686\");\n script_version(\"2020-01-31T08:04:39+0000\");\n script_cve_id(\"CVE-2019-10086\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:04:39 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-09-03 02:04:04 +0000 (Tue, 03 Sep 2019)\");\n script_name(\"openSUSE: Security Advisory for apache-commons-beanutils (openSUSE-SU-2019:2058-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap15\\.0\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2019:2058-1\");\n script_xref(name:\"URL\", value:\"https://lists.opensuse.org/opensuse-security-announce/2019-09/msg00007.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'apache-commons-beanutils'\n package(s) announced via the openSUSE-SU-2019:2058-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This update for apache-commons-beanutils fixes the following issues:\n\n Security issue fixed:\n\n - CVE-2019-10086: Added special BeanIntrospector class which allows\n suppressing the ability for an attacker to access the classloader via\n the class property available on all Java objects (bsc#1146657).\n\n This update was imported from the SUSE:SLE-15:Update update project.\n\n Patch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended\n installation methods\n like YaST online_update or 'zypper patch'.\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 15.1:\n\n zypper in -t patch openSUSE-2019-2058=1\n\n - openSUSE Leap 15.0:\n\n zypper in -t patch openSUSE-2019-2058=1\");\n\n script_tag(name:\"affected\", value:\"'apache-commons-beanutils' package(s) on openSUSE Leap 15.0.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap15.0\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"apache-commons-beanutils\", rpm:\"apache-commons-beanutils~1.9.2~lp150.2.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"apache-commons-beanutils-javadoc\", rpm:\"apache-commons-beanutils-javadoc~1.9.2~lp150.2.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-11-17T09:28:58", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2019-11-14T00:00:00", "type": "openvas", "title": "Fedora Update for apache-commons-beanutils FEDORA-2019-79b5790566", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-10086"], "modified": "2019-11-15T00:00:00", "id": "OPENVAS:1361412562310876994", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310876994", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.876994\");\n script_version(\"2019-11-15T08:07:38+0000\");\n script_cve_id(\"CVE-2019-10086\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-11-15 08:07:38 +0000 (Fri, 15 Nov 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-11-14 03:29:24 +0000 (Thu, 14 Nov 2019)\");\n script_name(\"Fedora Update for apache-commons-beanutils FEDORA-2019-79b5790566\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC30\");\n\n script_xref(name:\"FEDORA\", value:\"2019-79b5790566\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JIUYSL2RSIWZVNSUIXJTIFPIPIF6OAIO\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'apache-commons-beanutils'\n package(s) announced via the FEDORA-2019-79b5790566 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The scope of this package is to create a package of Java utility methods\nfor accessing and modifying the properties of arbitrary JavaBeans. No\ndependencies outside of the JDK are required, so the use of this package\nis very lightweight.\");\n\n script_tag(name:\"affected\", value:\"'apache-commons-beanutils' package(s) on Fedora 30.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC30\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"apache-commons-beanutils\", rpm:\"apache-commons-beanutils~1.9.4~1.fc30\", rls:\"FC30\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "osv": [{"lastseen": "2022-08-05T05:18:35", "description": "\nIt was discovered that there was a remote arbitrary code\nvulnerability in commons-beanutils, a set of utilities for\nmanipulating JavaBeans code.\n\n\n* [CVE-2019-10086](https://security-tracker.debian.org/tracker/CVE-2019-10086)\nIn Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.\n\n\nFor Debian 8 Jessie, these problems have been fixed in version\n1.9.2-1+deb8u1.\n\n\nWe recommend that you upgrade your commons-beanutils packages.\n\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: <https://wiki.debian.org/LTS>\n\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "baseScore": 7.3, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.4}, "published": "2019-08-24T00:00:00", "type": "osv", "title": "commons-beanutils - security update", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2022-08-05T05:18:33", "id": "OSV:DLA-1896-1", "href": "https://osv.dev/vulnerability/DLA-1896-1", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-04-11T01:19:46", "description": "In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2020-06-15T20:36:17", "type": "osv", "title": "Insecure Deserialization in Apache Commons Beanutils", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2023-04-11T01:19:41", "id": "OSV:GHSA-6PHF-73Q6-GH87", "href": "https://osv.dev/vulnerability/GHSA-6phf-73q6-gh87", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "debian": [{"lastseen": "2021-10-22T12:45:58", "description": "Package : commons-beanutils\nVersion : 1.9.2-1+deb8u1\nCVE ID : CVE-2019-10086\n\nIt was discovered that there was a remote arbitrary code\nvulnerability in commons-beanutils, a set of utilities for\nmanipulating JavaBeans code.\n\nFor Debian 8 "Jessie", this issue has been fixed in commons-beanutils\nversion 1.9.2-1+deb8u1.\n\nWe recommend that you upgrade your commons-beanutils packages.\n\n\nRegards,\n\n- -- \n ,''`.\n : :' : Chris Lamb\n `. `'` lamby@debian.org / chris-lamb.co.uk\n `-", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "baseScore": 7.3, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.4}, "published": "2019-08-24T14:49:34", "type": "debian", "title": "[SECURITY] [DLA 1896-1] commons-beanutils security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2019-08-24T14:49:34", "id": "DEBIAN:DLA-1896-1:853E6", "href": "https://lists.debian.org/debian-lts-announce/2019/08/msg00030.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-01T15:15:59", "description": "Package : commons-beanutils\nVersion : 1.9.2-1+deb8u1\nCVE ID : CVE-2019-10086\n\nIt was discovered that there was a remote arbitrary code\nvulnerability in commons-beanutils, a set of utilities for\nmanipulating JavaBeans code.\n\nFor Debian 8 "Jessie", this issue has been fixed in commons-beanutils\nversion 1.9.2-1+deb8u1.\n\nWe recommend that you upgrade your commons-beanutils packages.\n\n\nRegards,\n\n- -- \n ,''`.\n : :' : Chris Lamb\n `. `'` lamby@debian.org / chris-lamb.co.uk\n `-", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "baseScore": 7.3, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.4}, "published": "2019-08-24T14:49:34", "type": "debian", "title": "[SECURITY] [DLA 1896-1] commons-beanutils security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2019-08-24T14:49:34", "id": "DEBIAN:DLA-1896-1:572E2", "href": "https://lists.debian.org/debian-lts-announce/2019/08/msg00030.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "suse": [{"lastseen": "2022-11-10T08:11:25", "description": "An update that fixes one vulnerability is now available.\n\nDescription:\n\n This update for apache-commons-beanutils fixes the following issues:\n\n Security issue fixed:\n\n - CVE-2019-10086: Added special BeanIntrospector class which allows\n suppressing the ability for an attacker to access the classloader via\n the class property available on all Java objects (bsc#1146657).\n\n This update was imported from the SUSE:SLE-15:Update update project.\n\n\nPatch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended installation methods\n like YaST online_update or \"zypper patch\".\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 15.1:\n\n zypper in -t patch openSUSE-2019-2058=1\n\n - openSUSE Leap 15.0:\n\n zypper in -t patch openSUSE-2019-2058=1", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2019-09-03T00:00:00", "type": "suse", "title": "Security update for apache-commons-beanutils (important)", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2019-09-03T00:00:00", "id": "OPENSUSE-SU-2019:2058-1", "href": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ZY7XA5ODCMNPHIE2KXBFLLPP6RFCHE62/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "symantec": [{"lastseen": "2021-06-08T18:46:49", "description": "### Description\n\nApache Commons Beanutils is prone to a remote security vulnerability. An attacker can leverage this issue to bypass security restrictions and perform unauthorized actions. This may aid in further attacks. Apache Commons Beanutils 1.9.2, and 1.9.3 are vulnerable.\n\n### Technologies Affected\n\n * Apache Commons BeanUtils 1.9.2 \n * Apache Commons BeanUtils 1.9.3 \n * Debian Linux 8.0 \n * IBM Content Navigator 3.0CD \n * openSUSE Leap 15.0 \n * openSUSE Leap 15.1 \n\n### Recommendations\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This includes but is not limited to requests that include NOP sleds and unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from a successful exploit. \n\n**Do not accept or execute files from untrusted or unknown sources.** \nTo limit exposure to these and other latent vulnerabilities, never handle files that originate from unfamiliar or untrusted sources.\n\n**Do not follow links provided by unknown or untrusted sources.** \nTo reduce the likelihood of attacks, never visit sites of questionable integrity or follow links provided by unfamiliar or untrusted sources.\n\n**Implement multiple redundant layers of security.** \nAs an added precaution, deploy memory-protection schemes (such as nonexecutable stack/heap configuration and randomly mapped memory segments). This may complicate exploits of memory-corruption vulnerabilities.\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, run applications with the minimal amount of privileges required for functionality. \n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "cvss3": {}, "published": "2019-08-15T00:00:00", "type": "symantec", "title": "Apache Commons Beanutils CVE-2019-10086 Remote Security Vulnerability", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2019-10086"], "modified": "2019-08-15T00:00:00", "id": "SMNTC-109915", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/109915", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2023-05-18T15:23:11", "description": "The IBM WebSphere Application Server running on the remote host is version 7.0.0.0 through 7.0.0.45, 8.0.0.0 through 8.0.0.15, 8.5.0.x prior to 8.5.5.17, or 9.0.x prior to 9.0.5.2. It is, therefore, affected by a vulnerability in the Apache Commons Beanutils subcomponent. An unauthenticated, remote attacker can exploit this in order to access the classloader via the class property available on all Java objects.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2020-10-23T00:00:00", "type": "nessus", "title": "IBM WebSphere Application Server 7.0.0.x <= 7.0.0.45 / 8.0.0.x <= 8.0.0.15 / 8.5.x < 8.5.5.17 / 9.0.x < 9.0.5.2 Beanutils Vulnerability (CVE-2019-10086)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-10086"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/a:ibm:websphere_application_server"], "id": "WEBSPHERE_1115085.NASL", "href": "https://www.tenable.com/plugins/nessus/141853", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(141853);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2019-10086\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0004\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n\n script_name(english:\"IBM WebSphere Application Server 7.0.0.x <= 7.0.0.45 / 8.0.0.x <= 8.0.0.15 / 8.5.x < 8.5.5.17 / 9.0.x < 9.0.5.2 Beanutils Vulnerability (CVE-2019-10086)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web application server is affected by a vulnerability\");\n script_set_attribute(attribute:\"description\", value:\n\"The IBM WebSphere Application Server running on the remote host is version 7.0.0.0 through 7.0.0.45, 8.0.0.0 through\n8.0.0.15, 8.5.0.x prior to 8.5.5.17, or 9.0.x prior to 9.0.5.2. It is, therefore, affected by a vulnerability in the\nApache Commons Beanutils subcomponent. An unauthenticated, remote attacker can exploit this in order to access the\nclassloader via the class property available on all Java objects.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.ibm.com/support/pages/node/1115085\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to IBM WebSphere Application Server 8.5.5.17, 9.0.5.2, or later. Alternatively, upgrade to the minimal fix pack\nlevels required by the interim fix and then apply Interim Fix PH17557.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-10086\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/11/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/11/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/10/23\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:ibm:websphere_application_server\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Web Servers\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"websphere_detect.nasl\", \"ibm_enum_products.nbin\", \"ibm_websphere_application_server_nix_installed.nbin\");\n script_require_keys(\"installed_sw/IBM WebSphere Application Server\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\napp = 'IBM WebSphere Application Server';\nfix = 'Interim Fix PH17557';\n\napp_info = vcf::combined_get_app_info(app:app);\nvcf::check_granularity(app_info:app_info, sig_segments:4);\n\n# If the detection is only remote, Source will be set, and we should require paranoia\nif (!empty_or_null(app_info['Source']) && app_info['Source'] != 'unknown' && report_paranoia < 2)\n audit(AUDIT_PARANOID);\n\nif ('PH17557' >< app_info['Fixes'])\n audit(AUDIT_INST_VER_NOT_VULN, app);\n\nconstraints = [\n {'min_version':'7.0.0.0', 'max_version':'7.0.0.45', 'fixed_version':fix},\n {'min_version':'8.0.0.0', 'max_version':'8.0.0.15', 'fixed_version':fix},\n {'min_version':'8.5.0.0', 'max_version':'8.5.5.16', 'fixed_version':'8.5.5.17 or ' + fix},\n {'min_version':'9.0.0.0', 'max_version':'9.0.5.1', 'fixed_version':'9.0.5.2 or ' + fix}\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:55:32", "description": "From Red Hat Security Advisory 2020:0194 :\n\nAn update for apache-commons-beanutils is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nThe Apache Commons BeanUtils library provides utility methods for accessing and modifying properties of arbitrary JavaBeans.\n\nSecurity Fix(es) :\n\n* apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default (CVE-2019-10086)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {}, "published": "2020-01-23T00:00:00", "type": "nessus", "title": "Oracle Linux 7 : apache-commons-beanutils (ELSA-2020-0194)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-10086"], "modified": "2022-12-06T00:00:00", "cpe": ["p-cpe:/a:oracle:linux:apache-commons-beanutils", "p-cpe:/a:oracle:linux:apache-commons-beanutils-javadoc", "cpe:/o:oracle:linux:7"], "id": "ORACLELINUX_ELSA-2020-0194.NASL", "href": "https://www.tenable.com/plugins/nessus/133182", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2020:0194 and \n# Oracle Linux Security Advisory ELSA-2020-0194 respectively.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(133182);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/06\");\n\n script_cve_id(\"CVE-2019-10086\");\n script_xref(name:\"RHSA\", value:\"2020:0194\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0004\");\n\n script_name(english:\"Oracle Linux 7 : apache-commons-beanutils (ELSA-2020-0194)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Oracle Linux host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"From Red Hat Security Advisory 2020:0194 :\n\nAn update for apache-commons-beanutils is now available for Red Hat\nEnterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe Apache Commons BeanUtils library provides utility methods for\naccessing and modifying properties of arbitrary JavaBeans.\n\nSecurity Fix(es) :\n\n* apache-commons-beanutils: does not suppresses the class property in\nPropertyUtilsBean by default (CVE-2019-10086)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, acknowledgments, and other related information, refer to\nthe CVE page(s) listed in the References section.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://oss.oracle.com/pipermail/el-errata/2020-January/009538.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected apache-commons-beanutils packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/08/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/01/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/01/23\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:apache-commons-beanutils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:apache-commons-beanutils-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:7\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 7\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"apache-commons-beanutils-1.8.3-15.el7_7\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"apache-commons-beanutils-javadoc-1.8.3-15.el7_7\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"apache-commons-beanutils / apache-commons-beanutils-javadoc\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:55:09", "description": "Security Fix(es) :\n\n - apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default (CVE-2019-10086)", "cvss3": {}, "published": "2020-01-23T00:00:00", "type": "nessus", "title": "Scientific Linux Security Update : apache-commons-beanutils on SL7.x (noarch) (20200121)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-10086"], "modified": "2022-12-07T00:00:00", "cpe": ["p-cpe:/a:fermilab:scientific_linux:apache-commons-beanutils", "p-cpe:/a:fermilab:scientific_linux:apache-commons-beanutils-javadoc", "x-cpe:/o:fermilab:scientific_linux"], "id": "SL_20200121_APACHE_COMMONS_BEANUTILS_ON_SL7_X.NASL", "href": "https://www.tenable.com/plugins/nessus/133192", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(133192);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/07\");\n\n script_cve_id(\"CVE-2019-10086\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0004\");\n\n script_name(english:\"Scientific Linux Security Update : apache-commons-beanutils on SL7.x (noarch) (20200121)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Security Fix(es) :\n\n - apache-commons-beanutils: does not suppresses the class\n property in PropertyUtilsBean by default\n (CVE-2019-10086)\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind2001&L=SCIENTIFIC-LINUX-ERRATA&P=6384\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?904318d7\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Update the affected apache-commons-beanutils and / or\napache-commons-beanutils-javadoc packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:apache-commons-beanutils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:apache-commons-beanutils-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/08/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/01/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/01/23\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nos_ver = pregmatch(pattern: \"Scientific Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Scientific Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Scientific Linux 7.x\", \"Scientific Linux \" + os_ver);\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL7\", reference:\"apache-commons-beanutils-1.8.3-15.el7_7\")) flag++;\nif (rpm_check(release:\"SL7\", reference:\"apache-commons-beanutils-javadoc-1.8.3-15.el7_7\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"apache-commons-beanutils / apache-commons-beanutils-javadoc\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:54:58", "description": "An update for apache-commons-beanutils is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nThe Apache Commons BeanUtils library provides utility methods for accessing and modifying properties of arbitrary JavaBeans.\n\nSecurity Fix(es) :\n\n* apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default (CVE-2019-10086)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {}, "published": "2020-01-30T00:00:00", "type": "nessus", "title": "CentOS 7 : apache-commons-beanutils (CESA-2020:0194)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-10086"], "modified": "2022-12-06T00:00:00", "cpe": ["p-cpe:/a:centos:centos:apache-commons-beanutils", "p-cpe:/a:centos:centos:apache-commons-beanutils-javadoc", "cpe:/o:centos:centos:7"], "id": "CENTOS_RHSA-2020-0194.NASL", "href": "https://www.tenable.com/plugins/nessus/133310", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2020:0194 and \n# CentOS Errata and Security Advisory 2020:0194 respectively.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(133310);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/06\");\n\n script_cve_id(\"CVE-2019-10086\");\n script_xref(name:\"RHSA\", value:\"2020:0194\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0004\");\n\n script_name(english:\"CentOS 7 : apache-commons-beanutils (CESA-2020:0194)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote CentOS host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update for apache-commons-beanutils is now available for Red Hat\nEnterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe Apache Commons BeanUtils library provides utility methods for\naccessing and modifying properties of arbitrary JavaBeans.\n\nSecurity Fix(es) :\n\n* apache-commons-beanutils: does not suppresses the class property in\nPropertyUtilsBean by default (CVE-2019-10086)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, acknowledgments, and other related information, refer to\nthe CVE page(s) listed in the References section.\");\n # https://lists.centos.org/pipermail/centos-announce/2020-January/035618.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?7bdcc1d9\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected apache-commons-beanutils packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-10086\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/08/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/01/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/01/30\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:apache-commons-beanutils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:apache-commons-beanutils-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:7\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CentOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/CentOS/release\");\nif (isnull(release) || \"CentOS\" >!< release) audit(AUDIT_OS_NOT, \"CentOS\");\nos_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"CentOS\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"CentOS 7.x\", \"CentOS \" + os_ver);\n\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"apache-commons-beanutils-1.8.3-15.el7_7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"apache-commons-beanutils-javadoc-1.8.3-15.el7_7\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"apache-commons-beanutils / apache-commons-beanutils-javadoc\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:57:11", "description": "The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has apache-commons-beanutils packages installed that are affected by a vulnerability:\n\n - In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.\n (CVE-2019-10086)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2020-03-08T00:00:00", "type": "nessus", "title": "NewStart CGSL CORE 5.04 / MAIN 5.04 : apache-commons-beanutils Vulnerability (NS-SA-2020-0011)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-10086"], "modified": "2022-12-06T00:00:00", "cpe": [], "id": "NEWSTART_CGSL_NS-SA-2020-0011_APACHE-COMMONS-BEANUTILS.NASL", "href": "https://www.tenable.com/plugins/nessus/134324", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\n\n# The descriptive text and package checks in this plugin were\n# extracted from ZTE advisory NS-SA-2020-0011. The text\n# itself is copyright (C) ZTE, Inc.\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(134324);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/06\");\n\n script_cve_id(\"CVE-2019-10086\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0004\");\n\n script_name(english:\"NewStart CGSL CORE 5.04 / MAIN 5.04 : apache-commons-beanutils Vulnerability (NS-SA-2020-0011)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote machine is affected by a vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has apache-commons-beanutils packages installed\nthat are affected by a vulnerability:\n\n - In Apache Commons Beanutils 1.9.2, a special\n BeanIntrospector class was added which allows\n suppressing the ability for an attacker to access the\n classloader via the class property available on all Java\n objects. We, however were not using this by default\n characteristic of the PropertyUtilsBean.\n (CVE-2019-10086)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/notice/NS-SA-2020-0011\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the vulnerable CGSL apache-commons-beanutils packages. Note that updated packages may not be available yet.\nPlease contact ZTE for more information.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-10086\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/08/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/03/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/03/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"NewStart CGSL Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/ZTE-CGSL/release\", \"Host/ZTE-CGSL/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/ZTE-CGSL/release\");\nif (isnull(release) || release !~ \"^CGSL (MAIN|CORE)\") audit(AUDIT_OS_NOT, \"NewStart Carrier Grade Server Linux\");\n\nif (release !~ \"CGSL CORE 5.04\" &&\n release !~ \"CGSL MAIN 5.04\")\n audit(AUDIT_OS_NOT, 'NewStart CGSL CORE 5.04 / NewStart CGSL MAIN 5.04');\n\nif (!get_kb_item(\"Host/ZTE-CGSL/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"NewStart Carrier Grade Server Linux\", cpu);\n\nflag = 0;\n\npkgs = {\n \"CGSL CORE 5.04\": [\n \"apache-commons-beanutils-1.8.3-15.el7_7\",\n \"apache-commons-beanutils-javadoc-1.8.3-15.el7_7\"\n ],\n \"CGSL MAIN 5.04\": [\n \"apache-commons-beanutils-1.8.3-15.el7_7\",\n \"apache-commons-beanutils-javadoc-1.8.3-15.el7_7\"\n ]\n};\npkg_list = pkgs[release];\n\nforeach (pkg in pkg_list)\n if (rpm_check(release:\"ZTE \" + release, reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"apache-commons-beanutils\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:25:33", "description": "The remote NewStart CGSL host, running version CORE 5.05 / MAIN 5.05, has apache-commons-beanutils packages installed that are affected by a vulnerability:\n\n - In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects.\n We, however were not using this by default characteristic of the PropertyUtilsBean. (CVE-2019-10086)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2020-12-09T00:00:00", "type": "nessus", "title": "NewStart CGSL CORE 5.05 / MAIN 5.05 : apache-commons-beanutils Vulnerability (NS-SA-2020-0100)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-10086"], "modified": "2022-12-05T00:00:00", "cpe": [], "id": "NEWSTART_CGSL_NS-SA-2020-0100_APACHE-COMMONS-BEANUTILS.NASL", "href": "https://www.tenable.com/plugins/nessus/144009", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from ZTE advisory NS-SA-2020-0100. The text\n# itself is copyright (C) ZTE, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(144009);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2019-10086\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0004\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n\n script_name(english:\"NewStart CGSL CORE 5.05 / MAIN 5.05 : apache-commons-beanutils Vulnerability (NS-SA-2020-0100)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote machine is affected by a vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote NewStart CGSL host, running version CORE 5.05 / MAIN 5.05, has apache-commons-beanutils packages installed\nthat are affected by a vulnerability:\n\n - In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the\n ability for an attacker to access the classloader via the class property available on all Java objects.\n We, however were not using this by default characteristic of the PropertyUtilsBean. (CVE-2019-10086)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/notice/NS-SA-2020-0100\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the vulnerable CGSL apache-commons-beanutils packages. Note that updated packages may not be available yet.\nPlease contact ZTE for more information.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-10086\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/08/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/12/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/12/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"NewStart CGSL Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/ZTE-CGSL/release\", \"Host/ZTE-CGSL/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item('Host/ZTE-CGSL/release');\nif (isnull(release) || release !~ \"^CGSL (MAIN|CORE)\") audit(AUDIT_OS_NOT, 'NewStart Carrier Grade Server Linux');\n\nif (release !~ \"CGSL CORE 5.05\" &&\n release !~ \"CGSL MAIN 5.05\")\n audit(AUDIT_OS_NOT, 'NewStart CGSL CORE 5.05 / NewStart CGSL MAIN 5.05');\n\nif (!get_kb_item('Host/ZTE-CGSL/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'NewStart Carrier Grade Server Linux', cpu);\n\nflag = 0;\n\npkgs = {\n 'CGSL CORE 5.05': [\n 'apache-commons-beanutils-1.8.3-15.el7_7',\n 'apache-commons-beanutils-javadoc-1.8.3-15.el7_7'\n ],\n 'CGSL MAIN 5.05': [\n 'apache-commons-beanutils-1.8.3-15.el7_7',\n 'apache-commons-beanutils-javadoc-1.8.3-15.el7_7'\n ]\n};\npkg_list = pkgs[release];\n\nforeach (pkg in pkg_list)\n if (rpm_check(release:'ZTE ' + release, reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'apache-commons-beanutils');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-19T14:06:49", "description": "The remote Redhat Enterprise Linux 7 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2020:2740 advisory.\n\n - apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default (CVE-2019-10086)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2020-06-25T00:00:00", "type": "nessus", "title": "RHEL 7 : candlepin and satellite (RHSA-2020:2740)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-10086"], "modified": "2023-01-23T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:7", "p-cpe:/a:redhat:enterprise_linux:candlepin", "p-cpe:/a:redhat:enterprise_linux:candlepin-selinux", "p-cpe:/a:redhat:enterprise_linux:satellite", "p-cpe:/a:redhat:enterprise_linux:satellite-capsule", "p-cpe:/a:redhat:enterprise_linux:satellite-cli", "p-cpe:/a:redhat:enterprise_linux:satellite-common", "p-cpe:/a:redhat:enterprise_linux:satellite-debug-tools"], "id": "REDHAT-RHSA-2020-2740.NASL", "href": "https://www.tenable.com/plugins/nessus/137775", "sourceData": "##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2020:2740. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(137775);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/23\");\n\n script_cve_id(\"CVE-2019-10086\");\n script_xref(name:\"RHSA\", value:\"2020:2740\");\n script_xref(name:\"IAVA\", value:\"2020-A-0140\");\n script_xref(name:\"IAVA\", value:\"2020-A-0328\");\n script_xref(name:\"IAVA\", value:\"2021-A-0196\");\n script_xref(name:\"IAVA\", value:\"2021-A-0035-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0328\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0004\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n\n script_name(english:\"RHEL 7 : candlepin and satellite (RHSA-2020:2740)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 7 host has packages installed that are affected by a vulnerability as referenced in\nthe RHSA-2020:2740 advisory.\n\n - apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default\n (CVE-2019-10086)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-10086\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2020:2740\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1767483\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-10086\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(502);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/08/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/06/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/06/25\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:candlepin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:candlepin-selinux\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:satellite\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:satellite-capsule\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:satellite-cli\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:satellite-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:satellite-debug-tools\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"redhat_repos.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/RedHat/release');\nif (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');\nvar os_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nos_ver = os_ver[1];\nif (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '7')) audit(AUDIT_OS_NOT, 'Red Hat 7.x', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nvar constraints = [\n {\n 'repo_relative_urls': [\n 'content/dist/rhel/server/7/7Server/x86_64/sat-capsule/6.5/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/sat-capsule/6.5/os',\n 'content/dist/rhel/server/7/7Server/x86_64/sat-capsule/6.5/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/satellite/6.5/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/satellite/6.5/os',\n 'content/dist/rhel/server/7/7Server/x86_64/satellite/6.5/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'candlepin-2.5.22-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'candlepin-selinux-2.5.22-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'satellite-6.5.3.2-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'satellite-capsule-6.5.3.2-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'satellite-cli-6.5.3.2-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'satellite-common-6.5.3.2-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'satellite-debug-tools-6.5.3.2-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'}\n ]\n }\n];\n\nvar applicable_repo_urls = rhel_determine_applicable_repository_urls(constraints:constraints);\nif(applicable_repo_urls == RHEL_REPOS_NO_OVERLAP_MESSAGE) exit(0, RHEL_REPO_NOT_ENABLED);\n\nvar flag = 0;\nforeach var constraint_array ( constraints ) {\n var repo_relative_urls = NULL;\n if (!empty_or_null(constraint_array['repo_relative_urls'])) repo_relative_urls = constraint_array['repo_relative_urls'];\n foreach var pkg ( constraint_array['pkgs'] ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];\n if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];\n if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];\n if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];\n if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];\n if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];\n if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];\n if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];\n if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];\n if (reference &&\n _release &&\n rhel_decide_repo_relative_url_check(required_repo_url_list:repo_relative_urls) &&\n (applicable_repo_urls || (!exists_check || rpm_exists(release:_release, rpm:exists_check))) &&\n rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n var extra = NULL;\n if (empty_or_null(applicable_repo_urls)) extra = rpm_report_get() + redhat_report_repo_caveat();\n else extra = rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'candlepin / candlepin-selinux / satellite / satellite-capsule / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-19T15:11:56", "description": "The 13.3.0.1 versions of Application Testing Suite installed on the remote host are affected by a vulnerability as referenced in the July 2021 CPU advisory.\n\n - Vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager (component:\n Load Testing for Web Apps (Apache Commons BeanUtils)). The supported version that is affected is 13.3.0.1.\n Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Application Testing Suite. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Application Testing Suite accessible data as well as unauthorized read access to a subset of Oracle Application Testing Suite accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Application Testing Suite. (CVE-2019-10086)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-07-23T00:00:00", "type": "nessus", "title": "Oracle Application Testing Suite (Jul 2021 CPU)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-10086"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/a:oracle:application_testing_suite"], "id": "ORACLE_OATS_CPU_JUL_2021.NASL", "href": "https://www.tenable.com/plugins/nessus/152043", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(152043);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2019-10086\");\n script_xref(name:\"IAVA\", value:\"2021-A-0345\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0004\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n\n script_name(english:\"Oracle Application Testing Suite (Jul 2021 CPU)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is affected by a vulnerability\");\n script_set_attribute(attribute:\"description\", value:\n\"The 13.3.0.1 versions of Application Testing Suite installed on the remote host are affected by a vulnerability as\nreferenced in the July 2021 CPU advisory.\n\n - Vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager (component:\n Load Testing for Web Apps (Apache Commons BeanUtils)). The supported version that is affected is 13.3.0.1.\n Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to\n compromise Oracle Application Testing Suite. Successful attacks of this vulnerability can result in\n unauthorized update, insert or delete access to some of Oracle Application Testing Suite accessible data\n as well as unauthorized read access to a subset of Oracle Application Testing Suite accessible data and\n unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Application Testing\n Suite. (CVE-2019-10086)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.oracle.com/a/tech/docs/cpujul2021cvrf.xml\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.oracle.com/security-alerts/cpujul2021.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate patch according to the July 2021 Oracle Critical Patch Update advisory.\");\n script_set_attribute(attribute:\"agent\", value:\"all\nall\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-10086\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/07/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/07/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/07/23\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:application_testing_suite\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"oracle_application_testing_suite_installed.nbin\");\n script_require_keys(\"installed_sw/Oracle Application Testing Suite\");\n\n exit(0);\n}\n\ninclude('vcf_extras_oracle.inc');\n\nvar app_info = vcf::oracle_oats::get_app_info();\n\nvar patches_to_report;\nvar patches_to_check;\nif (get_kb_item('SMB/Registry/Enumerated'))\n{\n patches_to_report = make_list('32690142');\n}\nelse\n{\n patches_to_report = make_list('32690142', '32690139');\n patches_to_check = make_list('32690139');\n}\n\nvar constraints = [\n { 'min_version' : '13.3.0.1', 'fixed_version' : '13.3.0.1.402' }\n];\n\nvcf::oracle_oats::check_version_and_report(\n app_info:app_info,\n severity:SECURITY_HOLE,\n constraints:constraints,\n patches_to_report:patches_to_report,\n patches_to_check:patches_to_check\n);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-24T14:29:01", "description": "This update for apache-commons-beanutils fixes the following issues :\n\nSecurity issue fixed :\n\n - CVE-2019-10086: Added special BeanIntrospector class which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects (bsc#1146657).\n\nThis update was imported from the SUSE:SLE-15:Update update project.", "cvss3": {}, "published": "2019-09-03T00:00:00", "type": "nessus", "title": "openSUSE Security Update : apache-commons-beanutils (openSUSE-2019-2058)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-10086"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:apache-commons-beanutils", "p-cpe:/a:novell:opensuse:apache-commons-beanutils-javadoc", "cpe:/o:novell:opensuse:15.1"], "id": "OPENSUSE-2019-2058.NASL", "href": "https://www.tenable.com/plugins/nessus/128464", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2019-2058.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(128464);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2019-10086\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0004\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n\n script_name(english:\"openSUSE Security Update : apache-commons-beanutils (openSUSE-2019-2058)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote openSUSE host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"This update for apache-commons-beanutils fixes the following issues :\n\nSecurity issue fixed :\n\n - CVE-2019-10086: Added special BeanIntrospector class\n which allows suppressing the ability for an attacker to\n access the classloader via the class property available\n on all Java objects (bsc#1146657).\n\nThis update was imported from the SUSE:SLE-15:Update update project.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1146657\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected apache-commons-beanutils packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/08/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/09/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/09/03\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache-commons-beanutils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache-commons-beanutils-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.1\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.1\", reference:\"apache-commons-beanutils-1.9.2-lp151.3.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"apache-commons-beanutils-javadoc-1.9.2-lp151.3.3.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"apache-commons-beanutils / apache-commons-beanutils-javadoc\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-24T14:32:17", "description": "Update to version 1.9.4.\n\nResolves CVE-2019-10086.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2019-11-14T00:00:00", "type": "nessus", "title": "Fedora 31 : apache-commons-beanutils (2019-bcad44b5d6)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-10086"], "modified": "2022-12-06T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:apache-commons-beanutils", "cpe:/o:fedoraproject:fedora:31"], "id": "FEDORA_2019-BCAD44B5D6.NASL", "href": "https://www.tenable.com/plugins/nessus/130990", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2019-bcad44b5d6.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(130990);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/06\");\n\n script_cve_id(\"CVE-2019-10086\");\n script_xref(name:\"FEDORA\", value:\"2019-bcad44b5d6\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0004\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n\n script_name(english:\"Fedora 31 : apache-commons-beanutils (2019-bcad44b5d6)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Update to version 1.9.4.\n\nResolves CVE-2019-10086.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2019-bcad44b5d6\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected apache-commons-beanutils package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:apache-commons-beanutils\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:31\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/08/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/11/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/11/14\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^31([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 31\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC31\", reference:\"apache-commons-beanutils-1.9.4-1.fc31\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"apache-commons-beanutils\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-25T14:30:46", "description": "Update to version 1.9.4.\n\nResolves CVE-2019-10086.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2019-11-14T00:00:00", "type": "nessus", "title": "Fedora 30 : apache-commons-beanutils (2019-79b5790566)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-10086"], "modified": "2022-12-06T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:apache-commons-beanutils", "cpe:/o:fedoraproject:fedora:30"], "id": "FEDORA_2019-79B5790566.NASL", "href": "https://www.tenable.com/plugins/nessus/130988", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2019-79b5790566.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(130988);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/06\");\n\n script_cve_id(\"CVE-2019-10086\");\n script_xref(name:\"FEDORA\", value:\"2019-79b5790566\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0004\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n\n script_name(english:\"Fedora 30 : apache-commons-beanutils (2019-79b5790566)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Update to version 1.9.4.\n\nResolves CVE-2019-10086.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2019-79b5790566\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected apache-commons-beanutils package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:apache-commons-beanutils\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:30\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/08/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/11/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/11/14\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^30([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 30\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC30\", reference:\"apache-commons-beanutils-1.9.4-1.fc30\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"apache-commons-beanutils\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-26T14:19:20", "description": "It was discovered that there was a remote arbitrary code vulnerability in commons-beanutils, a set of utilities for manipulating JavaBeans code.\n\nFor Debian 8 'Jessie', this issue has been fixed in commons-beanutils version 1.9.2-1+deb8u1.\n\nWe recommend that you upgrade your commons-beanutils packages.\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2019-08-26T00:00:00", "type": "nessus", "title": "Debian DLA-1896-1 : commons-beanutils security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-10086"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:libcommons-beanutils-java", "p-cpe:/a:debian:debian_linux:libcommons-beanutils-java-doc", "cpe:/o:debian:debian_linux:8.0"], "id": "DEBIAN_DLA-1896.NASL", "href": "https://www.tenable.com/plugins/nessus/128123", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-1896-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(128123);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2019-10086\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0004\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n\n script_name(english:\"Debian DLA-1896-1 : commons-beanutils security update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Debian host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"It was discovered that there was a remote arbitrary code vulnerability\nin commons-beanutils, a set of utilities for manipulating JavaBeans\ncode.\n\nFor Debian 8 'Jessie', this issue has been fixed in commons-beanutils\nversion 1.9.2-1+deb8u1.\n\nWe recommend that you upgrade your commons-beanutils packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://lists.debian.org/debian-lts-announce/2019/08/msg00030.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://packages.debian.org/source/jessie/commons-beanutils\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/08/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/08/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/08/26\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libcommons-beanutils-java\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libcommons-beanutils-java-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Debian Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"libcommons-beanutils-java\", reference:\"1.9.2-1+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libcommons-beanutils-java-doc\", reference:\"1.9.2-1+deb8u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-27T14:16:02", "description": "The remote Redhat Enterprise Linux 7 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2020:0194 advisory.\n\n - apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default (CVE-2019-10086)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2020-01-22T00:00:00", "type": "nessus", "title": "RHEL 7 : apache-commons-beanutils (RHSA-2020:0194)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-10086"], "modified": "2023-05-25T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:7", "cpe:/o:redhat:rhel_aus:7.7", "cpe:/o:redhat:rhel_e4s:7.7", "cpe:/o:redhat:rhel_eus:7.7", "cpe:/o:redhat:rhel_tus:7.7", "p-cpe:/a:redhat:enterprise_linux:apache-commons-beanutils", "p-cpe:/a:redhat:enterprise_linux:apache-commons-beanutils-javadoc"], "id": "REDHAT-RHSA-2020-0194.NASL", "href": "https://www.tenable.com/plugins/nessus/133165", "sourceData": "##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2020:0194. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(133165);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/25\");\n\n script_cve_id(\"CVE-2019-10086\");\n script_xref(name:\"RHSA\", value:\"2020:0194\");\n script_xref(name:\"IAVA\", value:\"2020-A-0140\");\n script_xref(name:\"IAVA\", value:\"2020-A-0328\");\n script_xref(name:\"IAVA\", value:\"2021-A-0196\");\n script_xref(name:\"IAVA\", value:\"2021-A-0035-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0328\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0004\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n\n script_name(english:\"RHEL 7 : apache-commons-beanutils (RHSA-2020:0194)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 7 host has packages installed that are affected by a vulnerability as referenced in\nthe RHSA-2020:0194 advisory.\n\n - apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default\n (CVE-2019-10086)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-10086\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2020:0194\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1767483\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected apache-commons-beanutils and / or apache-commons-beanutils-javadoc packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-10086\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(502);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/08/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/01/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/01/22\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_aus:7.7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_e4s:7.7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_eus:7.7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_tus:7.7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:apache-commons-beanutils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:apache-commons-beanutils-javadoc\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"redhat_repos.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/RedHat/release');\nif (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');\nvar os_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nos_ver = os_ver[1];\nif (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '7')) audit(AUDIT_OS_NOT, 'Red Hat 7.x', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nvar constraints = [\n {\n 'repo_relative_urls': [\n 'content/aus/rhel/server/7/7.7/x86_64/debug',\n 'content/aus/rhel/server/7/7.7/x86_64/optional/debug',\n 'content/aus/rhel/server/7/7.7/x86_64/optional/os',\n 'content/aus/rhel/server/7/7.7/x86_64/optional/source/SRPMS',\n 'content/aus/rhel/server/7/7.7/x86_64/os',\n 'content/aus/rhel/server/7/7.7/x86_64/source/SRPMS',\n 'content/e4s/rhel/power-le/7/7.7/ppc64le/debug',\n 'content/e4s/rhel/power-le/7/7.7/ppc64le/highavailability/debug',\n 'content/e4s/rhel/power-le/7/7.7/ppc64le/highavailability/os',\n 'content/e4s/rhel/power-le/7/7.7/ppc64le/highavailability/source/SRPMS',\n 'content/e4s/rhel/power-le/7/7.7/ppc64le/optional/debug',\n 'content/e4s/rhel/power-le/7/7.7/ppc64le/optional/os',\n 'content/e4s/rhel/power-le/7/7.7/ppc64le/optional/source/SRPMS',\n 'content/e4s/rhel/power-le/7/7.7/ppc64le/os',\n 'content/e4s/rhel/power-le/7/7.7/ppc64le/sap-hana/debug',\n 'content/e4s/rhel/power-le/7/7.7/ppc64le/sap-hana/os',\n 'content/e4s/rhel/power-le/7/7.7/ppc64le/sap-hana/source/SRPMS',\n 'content/e4s/rhel/power-le/7/7.7/ppc64le/sap/debug',\n 'content/e4s/rhel/power-le/7/7.7/ppc64le/sap/os',\n 'content/e4s/rhel/power-le/7/7.7/ppc64le/sap/source/SRPMS',\n 'content/e4s/rhel/power-le/7/7.7/ppc64le/source/SRPMS',\n 'content/e4s/rhel/server/7/7.7/x86_64/debug',\n 'content/e4s/rhel/server/7/7.7/x86_64/highavailability/debug',\n 'content/e4s/rhel/server/7/7.7/x86_64/highavailability/os',\n 'content/e4s/rhel/server/7/7.7/x86_64/highavailability/source/SRPMS',\n 'content/e4s/rhel/server/7/7.7/x86_64/optional/debug',\n 'content/e4s/rhel/server/7/7.7/x86_64/optional/os',\n 'content/e4s/rhel/server/7/7.7/x86_64/optional/source/SRPMS',\n 'content/e4s/rhel/server/7/7.7/x86_64/os',\n 'content/e4s/rhel/server/7/7.7/x86_64/sap-hana/debug',\n 'content/e4s/rhel/server/7/7.7/x86_64/sap-hana/os',\n 'content/e4s/rhel/server/7/7.7/x86_64/sap-hana/source/SRPMS',\n 'content/e4s/rhel/server/7/7.7/x86_64/sap/debug',\n 'content/e4s/rhel/server/7/7.7/x86_64/sap/os',\n 'content/e4s/rhel/server/7/7.7/x86_64/sap/source/SRPMS',\n 'content/e4s/rhel/server/7/7.7/x86_64/source/SRPMS',\n 'content/eus/rhel/computenode/7/7.7/x86_64/debug',\n 'content/eus/rhel/computenode/7/7.7/x86_64/optional/debug',\n 'content/eus/rhel/computenode/7/7.7/x86_64/optional/os',\n 'content/eus/rhel/computenode/7/7.7/x86_64/optional/source/SRPMS',\n 'content/eus/rhel/computenode/7/7.7/x86_64/os',\n 'content/eus/rhel/computenode/7/7.7/x86_64/source/SRPMS',\n 'content/eus/rhel/power-le/7/7.7/ppc64le/debug',\n 'content/eus/rhel/power-le/7/7.7/ppc64le/highavailability/debug',\n 'content/eus/rhel/power-le/7/7.7/ppc64le/highavailability/os',\n 'content/eus/rhel/power-le/7/7.7/ppc64le/highavailability/source/SRPMS',\n 'content/eus/rhel/power-le/7/7.7/ppc64le/optional/debug',\n 'content/eus/rhel/power-le/7/7.7/ppc64le/optional/os',\n 'content/eus/rhel/power-le/7/7.7/ppc64le/optional/source/SRPMS',\n 'content/eus/rhel/power-le/7/7.7/ppc64le/os',\n 'content/eus/rhel/power-le/7/7.7/ppc64le/resilientstorage/debug',\n 'content/eus/rhel/power-le/7/7.7/ppc64le/resilientstorage/os',\n 'content/eus/rhel/power-le/7/7.7/ppc64le/resilientstorage/source/SRPMS',\n 'content/eus/rhel/power-le/7/7.7/ppc64le/sap-hana/debug',\n 'content/eus/rhel/power-le/7/7.7/ppc64le/sap-hana/os',\n 'content/eus/rhel/power-le/7/7.7/ppc64le/sap-hana/source/SRPMS',\n 'content/eus/rhel/power-le/7/7.7/ppc64le/sap/debug',\n 'content/eus/rhel/power-le/7/7.7/ppc64le/sap/os',\n 'content/eus/rhel/power-le/7/7.7/ppc64le/sap/source/SRPMS',\n 'content/eus/rhel/power-le/7/7.7/ppc64le/source/SRPMS',\n 'content/eus/rhel/power/7/7.7/ppc64/debug',\n 'content/eus/rhel/power/7/7.7/ppc64/optional/debug',\n 'content/eus/rhel/power/7/7.7/ppc64/optional/os',\n 'content/eus/rhel/power/7/7.7/ppc64/optional/source/SRPMS',\n 'content/eus/rhel/power/7/7.7/ppc64/os',\n 'content/eus/rhel/power/7/7.7/ppc64/sap/debug',\n 'content/eus/rhel/power/7/7.7/ppc64/sap/os',\n 'content/eus/rhel/power/7/7.7/ppc64/sap/source/SRPMS',\n 'content/eus/rhel/power/7/7.7/ppc64/source/SRPMS',\n 'content/eus/rhel/server/7/7.7/x86_64/debug',\n 'content/eus/rhel/server/7/7.7/x86_64/highavailability/debug',\n 'content/eus/rhel/server/7/7.7/x86_64/highavailability/os',\n 'content/eus/rhel/server/7/7.7/x86_64/highavailability/source/SRPMS',\n 'content/eus/rhel/server/7/7.7/x86_64/optional/debug',\n 'content/eus/rhel/server/7/7.7/x86_64/optional/os',\n 'content/eus/rhel/server/7/7.7/x86_64/optional/source/SRPMS',\n 'content/eus/rhel/server/7/7.7/x86_64/os',\n 'content/eus/rhel/server/7/7.7/x86_64/resilientstorage/debug',\n 'content/eus/rhel/server/7/7.7/x86_64/resilientstorage/os',\n 'content/eus/rhel/server/7/7.7/x86_64/resilientstorage/source/SRPMS',\n 'content/eus/rhel/server/7/7.7/x86_64/sap-hana/debug',\n 'content/eus/rhel/server/7/7.7/x86_64/sap-hana/os',\n 'content/eus/rhel/server/7/7.7/x86_64/sap-hana/source/SRPMS',\n 'content/eus/rhel/server/7/7.7/x86_64/sap/debug',\n 'content/eus/rhel/server/7/7.7/x86_64/sap/os',\n 'content/eus/rhel/server/7/7.7/x86_64/sap/source/SRPMS',\n 'content/eus/rhel/server/7/7.7/x86_64/source/SRPMS',\n 'content/eus/rhel/system-z/7/7.7/s390x/debug',\n 'content/eus/rhel/system-z/7/7.7/s390x/optional/debug',\n 'content/eus/rhel/system-z/7/7.7/s390x/optional/os',\n 'content/eus/rhel/system-z/7/7.7/s390x/optional/source/SRPMS',\n 'content/eus/rhel/system-z/7/7.7/s390x/os',\n 'content/eus/rhel/system-z/7/7.7/s390x/sap/debug',\n 'content/eus/rhel/system-z/7/7.7/s390x/sap/os',\n 'content/eus/rhel/system-z/7/7.7/s390x/sap/source/SRPMS',\n 'content/eus/rhel/system-z/7/7.7/s390x/source/SRPMS',\n 'content/tus/rhel/server/7/7.7/x86_64/debug',\n 'content/tus/rhel/server/7/7.7/x86_64/highavailability/debug',\n 'content/tus/rhel/server/7/7.7/x86_64/highavailability/os',\n 'content/tus/rhel/server/7/7.7/x86_64/highavailability/source/SRPMS',\n 'content/tus/rhel/server/7/7.7/x86_64/optional/debug',\n 'content/tus/rhel/server/7/7.7/x86_64/optional/os',\n 'content/tus/rhel/server/7/7.7/x86_64/optional/source/SRPMS',\n 'content/tus/rhel/server/7/7.7/x86_64/os',\n 'content/tus/rhel/server/7/7.7/x86_64/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'apache-commons-beanutils-1.8.3-15.el7_7', 'sp':'7', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'apache-commons-beanutils-javadoc-1.8.3-15.el7_7', 'sp':'7', 'release':'7', 'rpm_spec_vers_cmp':TRUE}\n ]\n },\n {\n 'repo_relative_urls': [\n 'content/dist/rhel-alt/server/7/7Server/armv8-a/aarch64/debug',\n 'content/dist/rhel-alt/server/7/7Server/armv8-a/aarch64/optional/debug',\n 'content/dist/rhel-alt/server/7/7Server/armv8-a/aarch64/optional/os',\n 'content/dist/rhel-alt/server/7/7Server/armv8-a/aarch64/optional/source/SRPMS',\n 'content/dist/rhel-alt/server/7/7Server/armv8-a/aarch64/os',\n 'content/dist/rhel-alt/server/7/7Server/armv8-a/aarch64/source/SRPMS',\n 'content/dist/rhel-alt/server/7/7Server/power9/ppc64le/debug',\n 'content/dist/rhel-alt/server/7/7Server/power9/ppc64le/optional/debug',\n 'content/dist/rhel-alt/server/7/7Server/power9/ppc64le/optional/os',\n 'content/dist/rhel-alt/server/7/7Server/power9/ppc64le/optional/source/SRPMS',\n 'content/dist/rhel-alt/server/7/7Server/power9/ppc64le/os',\n 'content/dist/rhel-alt/server/7/7Server/power9/ppc64le/source/SRPMS',\n 'content/dist/rhel-alt/server/7/7Server/power9/ppc64le/supplementary/debug',\n 'content/dist/rhel-alt/server/7/7Server/power9/ppc64le/supplementary/source/SRPMS',\n 'content/dist/rhel-alt/server/7/7Server/system-z-a/s390x/debug',\n 'content/dist/rhel-alt/server/7/7Server/system-z-a/s390x/optional/debug',\n 'content/dist/rhel-alt/server/7/7Server/system-z-a/s390x/optional/os',\n 'content/dist/rhel-alt/server/7/7Server/system-z-a/s390x/optional/source/SRPMS',\n 'content/dist/rhel-alt/server/7/7Server/system-z-a/s390x/os',\n 'content/dist/rhel-alt/server/7/7Server/system-z-a/s390x/source/SRPMS',\n 'content/dist/rhel/client/7/7Client/x86_64/debug',\n 'content/dist/rhel/client/7/7Client/x86_64/optional/debug',\n 'content/dist/rhel/client/7/7Client/x86_64/optional/os',\n 'content/dist/rhel/client/7/7Client/x86_64/optional/source/SRPMS',\n 'content/dist/rhel/client/7/7Client/x86_64/oracle-java-rm/os',\n 'content/dist/rhel/client/7/7Client/x86_64/os',\n 'content/dist/rhel/client/7/7Client/x86_64/source/SRPMS',\n 'content/dist/rhel/client/7/7Client/x86_64/supplementary/debug',\n 'content/dist/rhel/client/7/7Client/x86_64/supplementary/os',\n 'content/dist/rhel/client/7/7Client/x86_64/supplementary/source/SRPMS',\n 'content/dist/rhel/computenode/7/7ComputeNode/x86_64/debug',\n 'content/dist/rhel/computenode/7/7ComputeNode/x86_64/optional/debug',\n 'content/dist/rhel/computenode/7/7ComputeNode/x86_64/optional/os',\n 'content/dist/rhel/computenode/7/7ComputeNode/x86_64/optional/source/SRPMS',\n 'content/dist/rhel/computenode/7/7ComputeNode/x86_64/oracle-java-rm/os',\n 'content/dist/rhel/computenode/7/7ComputeNode/x86_64/os',\n 'content/dist/rhel/computenode/7/7ComputeNode/x86_64/source/SRPMS',\n 'content/dist/rhel/computenode/7/7ComputeNode/x86_64/supplementary/debug',\n 'content/dist/rhel/computenode/7/7ComputeNode/x86_64/supplementary/os',\n 'content/dist/rhel/computenode/7/7ComputeNode/x86_64/supplementary/source/SRPMS',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/debug',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/highavailability/debug',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/highavailability/os',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/highavailability/source/SRPMS',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/optional/debug',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/optional/os',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/optional/source/SRPMS',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/os',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/resilientstorage/debug',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/resilientstorage/os',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/resilientstorage/source/SRPMS',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/sap-hana/debug',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/sap-hana/os',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/sap-hana/source/SRPMS',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/sap/debug',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/sap/os',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/sap/source/SRPMS',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/source/SRPMS',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/supplementary/debug',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/supplementary/os',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/supplementary/source/SRPMS',\n 'content/dist/rhel/power/7/7Server/ppc64/debug',\n 'content/dist/rhel/power/7/7Server/ppc64/optional/debug',\n 'content/dist/rhel/power/7/7Server/ppc64/optional/os',\n 'content/dist/rhel/power/7/7Server/ppc64/optional/source/SRPMS',\n 'content/dist/rhel/power/7/7Server/ppc64/os',\n 'content/dist/rhel/power/7/7Server/ppc64/sap/debug',\n 'content/dist/rhel/power/7/7Server/ppc64/sap/os',\n 'content/dist/rhel/power/7/7Server/ppc64/sap/source/SRPMS',\n 'content/dist/rhel/power/7/7Server/ppc64/source/SRPMS',\n 'content/dist/rhel/power/7/7Server/ppc64/supplementary/debug',\n 'content/dist/rhel/power/7/7Server/ppc64/supplementary/os',\n 'content/dist/rhel/power/7/7Server/ppc64/supplementary/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/highavailability/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/highavailability/os',\n 'content/dist/rhel/server/7/7Server/x86_64/highavailability/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/nfv/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/nfv/os',\n 'content/dist/rhel/server/7/7Server/x86_64/nfv/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/optional/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/optional/os',\n 'content/dist/rhel/server/7/7Server/x86_64/optional/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/oracle-java-rm/os',\n 'content/dist/rhel/server/7/7Server/x86_64/os',\n 'content/dist/rhel/server/7/7Server/x86_64/resilientstorage/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/resilientstorage/os',\n 'content/dist/rhel/server/7/7Server/x86_64/resilientstorage/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/rt/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/rt/os',\n 'content/dist/rhel/server/7/7Server/x86_64/rt/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/sap-hana/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/sap-hana/os',\n 'content/dist/rhel/server/7/7Server/x86_64/sap-hana/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/sap/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/sap/os',\n 'content/dist/rhel/server/7/7Server/x86_64/sap/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/supplementary/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/supplementary/os',\n 'content/dist/rhel/server/7/7Server/x86_64/supplementary/source/SRPMS',\n 'content/dist/rhel/system-z/7/7Server/s390x/debug',\n 'content/dist/rhel/system-z/7/7Server/s390x/highavailability/debug',\n 'content/dist/rhel/system-z/7/7Server/s390x/highavailability/os',\n 'content/dist/rhel/system-z/7/7Server/s390x/highavailability/source/SRPMS',\n 'content/dist/rhel/system-z/7/7Server/s390x/optional/debug',\n 'content/dist/rhel/system-z/7/7Server/s390x/optional/os',\n 'content/dist/rhel/system-z/7/7Server/s390x/optional/source/SRPMS',\n 'content/dist/rhel/system-z/7/7Server/s390x/os',\n 'content/dist/rhel/system-z/7/7Server/s390x/resilientstorage/debug',\n 'content/dist/rhel/system-z/7/7Server/s390x/resilientstorage/os',\n 'content/dist/rhel/system-z/7/7Server/s390x/resilientstorage/source/SRPMS',\n 'content/dist/rhel/system-z/7/7Server/s390x/sap/debug',\n 'content/dist/rhel/system-z/7/7Server/s390x/sap/os',\n 'content/dist/rhel/system-z/7/7Server/s390x/sap/source/SRPMS',\n 'content/dist/rhel/system-z/7/7Server/s390x/source/SRPMS',\n 'content/dist/rhel/system-z/7/7Server/s390x/supplementary/debug',\n 'content/dist/rhel/system-z/7/7Server/s390x/supplementary/os',\n 'content/dist/rhel/system-z/7/7Server/s390x/supplementary/source/SRPMS',\n 'content/dist/rhel/workstation/7/7Workstation/x86_64/debug',\n 'content/dist/rhel/workstation/7/7Workstation/x86_64/optional/debug',\n 'content/dist/rhel/workstation/7/7Workstation/x86_64/optional/os',\n 'content/dist/rhel/workstation/7/7Workstation/x86_64/optional/source/SRPMS',\n 'content/dist/rhel/workstation/7/7Workstation/x86_64/oracle-java-rm/os',\n 'content/dist/rhel/workstation/7/7Workstation/x86_64/os',\n 'content/dist/rhel/workstation/7/7Workstation/x86_64/source/SRPMS',\n 'content/dist/rhel/workstation/7/7Workstation/x86_64/supplementary/debug',\n 'content/dist/rhel/workstation/7/7Workstation/x86_64/supplementary/os',\n 'content/dist/rhel/workstation/7/7Workstation/x86_64/supplementary/source/SRPMS',\n 'content/fastrack/rhel/client/7/x86_64/debug',\n 'content/fastrack/rhel/client/7/x86_64/optional/debug',\n 'content/fastrack/rhel/client/7/x86_64/optional/os',\n 'content/fastrack/rhel/client/7/x86_64/optional/source/SRPMS',\n 'content/fastrack/rhel/client/7/x86_64/os',\n 'content/fastrack/rhel/client/7/x86_64/source/SRPMS',\n 'content/fastrack/rhel/computenode/7/x86_64/debug',\n 'content/fastrack/rhel/computenode/7/x86_64/optional/debug',\n 'content/fastrack/rhel/computenode/7/x86_64/optional/os',\n 'content/fastrack/rhel/computenode/7/x86_64/optional/source/SRPMS',\n 'content/fastrack/rhel/computenode/7/x86_64/os',\n 'content/fastrack/rhel/computenode/7/x86_64/source/SRPMS',\n 'content/fastrack/rhel/power/7/ppc64/debug',\n 'content/fastrack/rhel/power/7/ppc64/optional/debug',\n 'content/fastrack/rhel/power/7/ppc64/optional/os',\n 'content/fastrack/rhel/power/7/ppc64/optional/source/SRPMS',\n 'content/fastrack/rhel/power/7/ppc64/os',\n 'content/fastrack/rhel/power/7/ppc64/source/SRPMS',\n 'content/fastrack/rhel/server/7/x86_64/debug',\n 'content/fastrack/rhel/server/7/x86_64/highavailability/debug',\n 'content/fastrack/rhel/server/7/x86_64/highavailability/os',\n 'content/fastrack/rhel/server/7/x86_64/highavailability/source/SRPMS',\n 'content/fastrack/rhel/server/7/x86_64/optional/debug',\n 'content/fastrack/rhel/server/7/x86_64/optional/os',\n 'content/fastrack/rhel/server/7/x86_64/optional/source/SRPMS',\n 'content/fastrack/rhel/server/7/x86_64/os',\n 'content/fastrack/rhel/server/7/x86_64/resilientstorage/debug',\n 'content/fastrack/rhel/server/7/x86_64/resilientstorage/os',\n 'content/fastrack/rhel/server/7/x86_64/resilientstorage/source/SRPMS',\n 'content/fastrack/rhel/server/7/x86_64/source/SRPMS',\n 'content/fastrack/rhel/system-z/7/s390x/debug',\n 'content/fastrack/rhel/system-z/7/s390x/optional/debug',\n 'content/fastrack/rhel/system-z/7/s390x/optional/os',\n 'content/fastrack/rhel/system-z/7/s390x/optional/source/SRPMS',\n 'content/fastrack/rhel/system-z/7/s390x/os',\n 'content/fastrack/rhel/system-z/7/s390x/source/SRPMS',\n 'content/fastrack/rhel/workstation/7/x86_64/debug',\n 'content/fastrack/rhel/workstation/7/x86_64/optional/debug',\n 'content/fastrack/rhel/workstation/7/x86_64/optional/os',\n 'content/fastrack/rhel/workstation/7/x86_64/optional/source/SRPMS',\n 'content/fastrack/rhel/workstation/7/x86_64/os',\n 'content/fastrack/rhel/workstation/7/x86_64/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'apache-commons-beanutils-1.8.3-15.el7_7', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'apache-commons-beanutils-javadoc-1.8.3-15.el7_7', 'release':'7', 'rpm_spec_vers_cmp':TRUE}\n ]\n }\n];\n\nvar applicable_repo_urls = rhel_determine_applicable_repository_urls(constraints:constraints);\nif(applicable_repo_urls == RHEL_REPOS_NO_OVERLAP_MESSAGE) exit(0, RHEL_REPO_NOT_ENABLED);\n\nvar flag = 0;\nforeach var constraint_array ( constraints ) {\n var repo_relative_urls = NULL;\n if (!empty_or_null(constraint_array['repo_relative_urls'])) repo_relative_urls = constraint_array['repo_relative_urls'];\n var enterprise_linux_flag = rhel_repo_urls_has_content_dist_rhel(repo_urls:repo_relative_urls);\n foreach var pkg ( constraint_array['pkgs'] ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];\n if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];\n if (!empty_or_null(pkg['sp']) && !enterprise_linux_flag) sp = pkg['sp'];\n if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];\n if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];\n if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];\n if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];\n if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];\n if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];\n if (reference &&\n _release &&\n rhel_decide_repo_relative_url_check(required_repo_url_list:repo_relative_urls) &&\n (applicable_repo_urls || (!exists_check || rpm_exists(release:_release, rpm:exists_check))) &&\n rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n var extra = NULL;\n if (empty_or_null(applicable_repo_urls)) extra = rpm_report_get() + redhat_report_repo_caveat();\n else extra = rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'apache-commons-beanutils / apache-commons-beanutils-javadoc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-25T20:38:39", "description": "The remote Redhat Enterprise Linux 6 / 7 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2020:0057 advisory.\n\n - apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default (CVE-2019-10086)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2023-01-23T00:00:00", "type": "nessus", "title": "RHEL 6 / 7 : rh-java-common-apache-commons-beanutils (RHSA-2020:0057)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-10086"], "modified": "2023-05-25T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:6", "cpe:/o:redhat:enterprise_linux:7", "p-cpe:/a:redhat:enterprise_linux:rh-java-common-apache-commons-beanutils", "p-cpe:/a:redhat:enterprise_linux:rh-java-common-apache-commons-beanutils-javadoc"], "id": "REDHAT-RHSA-2020-0057.NASL", "href": "https://www.tenable.com/plugins/nessus/170331", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2020:0057. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(170331);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/25\");\n\n script_cve_id(\"CVE-2019-10086\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0004\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n script_xref(name:\"RHSA\", value:\"2020:0057\");\n\n script_name(english:\"RHEL 6 / 7 : rh-java-common-apache-commons-beanutils (RHSA-2020:0057)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 6 / 7 host has packages installed that are affected by a vulnerability as referenced\nin the RHSA-2020:0057 advisory.\n\n - apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default\n (CVE-2019-10086)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-10086\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2020:0057\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1767483\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected rh-java-common-apache-commons-beanutils and / or rh-java-common-apache-commons-beanutils-javadoc\npackages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-10086\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(502);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/08/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/01/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2023/01/23\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rh-java-common-apache-commons-beanutils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rh-java-common-apache-commons-beanutils-javadoc\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"redhat_repos.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/RedHat/release');\nif (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');\nvar os_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nos_ver = os_ver[1];\nif (!rhel_check_release_list(operator: 'ge', os_version: os_ver, rhel_versions: ['6','7'])) audit(AUDIT_OS_NOT, 'Red Hat 6.x / 7.x', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nvar constraints = [\n {\n 'repo_relative_urls': [\n 'content/dist/rhel-alt/server/7/7Server/armv8-a/aarch64/rhscl/1/debug',\n 'content/dist/rhel-alt/server/7/7Server/armv8-a/aarch64/rhscl/1/os',\n 'content/dist/rhel-alt/server/7/7Server/armv8-a/aarch64/rhscl/1/source/SRPMS',\n 'content/dist/rhel-alt/server/7/7Server/power9/ppc64le/rhscl/1/debug',\n 'content/dist/rhel-alt/server/7/7Server/power9/ppc64le/rhscl/1/os',\n 'content/dist/rhel-alt/server/7/7Server/power9/ppc64le/rhscl/1/source/SRPMS',\n 'content/dist/rhel-alt/server/7/7Server/system-z-a/s390x/rhscl/1/debug',\n 'content/dist/rhel-alt/server/7/7Server/system-z-a/s390x/rhscl/1/os',\n 'content/dist/rhel-alt/server/7/7Server/system-z-a/s390x/rhscl/1/source/SRPMS',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/rhscl/1/debug',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/rhscl/1/os',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/rhscl/1/source/SRPMS',\n 'content/dist/rhel/power/7/7Server/ppc64/rhscl/1/debug',\n 'content/dist/rhel/power/7/7Server/ppc64/rhscl/1/os',\n 'content/dist/rhel/power/7/7Server/ppc64/rhscl/1/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/rhscl/1/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/rhscl/1/os',\n 'content/dist/rhel/server/7/7Server/x86_64/rhscl/1/source/SRPMS',\n 'content/dist/rhel/system-z/7/7Server/s390x/rhscl/1/debug',\n 'content/dist/rhel/system-z/7/7Server/s390x/rhscl/1/os',\n 'content/dist/rhel/system-z/7/7Server/s390x/rhscl/1/source/SRPMS',\n 'content/dist/rhel/workstation/7/7Workstation/x86_64/rhscl/1/debug',\n 'content/dist/rhel/workstation/7/7Workstation/x86_64/rhscl/1/os',\n 'content/dist/rhel/workstation/7/7Workstation/x86_64/rhscl/1/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'rh-java-common-apache-commons-beanutils-1.8.3-14.15.el7', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'rh-java-common-apache-commons-beanutils-javadoc-1.8.3-14.15.el7', 'release':'7', 'rpm_spec_vers_cmp':TRUE}\n ]\n },\n {\n 'repo_relative_urls': [\n 'content/dist/rhel/server/6/6Server/x86_64/rhscl/1/debug',\n 'content/dist/rhel/server/6/6Server/x86_64/rhscl/1/os',\n 'content/dist/rhel/server/6/6Server/x86_64/rhscl/1/source/SRPMS',\n 'content/dist/rhel/workstation/6/6Workstation/x86_64/rhscl/1/debug',\n 'content/dist/rhel/workstation/6/6Workstation/x86_64/rhscl/1/os',\n 'content/dist/rhel/workstation/6/6Workstation/x86_64/rhscl/1/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'rh-java-common-apache-commons-beanutils-1.8.3-14.14.el6', 'release':'6', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'rh-java-common-apache-commons-beanutils-javadoc-1.8.3-14.14.el6', 'release':'6', 'rpm_spec_vers_cmp':TRUE}\n ]\n }\n];\n\nvar applicable_repo_urls = rhel_determine_applicable_repository_urls(constraints:constraints);\nif(applicable_repo_urls == RHEL_REPOS_NO_OVERLAP_MESSAGE) exit(0, RHEL_REPO_NOT_ENABLED);\n\nvar flag = 0;\nforeach var constraint_array ( constraints ) {\n var repo_relative_urls = NULL;\n if (!empty_or_null(constraint_array['repo_relative_urls'])) repo_relative_urls = constraint_array['repo_relative_urls'];\n foreach var pkg ( constraint_array['pkgs'] ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];\n if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];\n if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];\n if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];\n if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];\n if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];\n if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];\n if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];\n if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];\n if (reference &&\n _release &&\n rhel_decide_repo_relative_url_check(required_repo_url_list:repo_relative_urls) &&\n (applicable_repo_urls || (!exists_check || rpm_exists(release:_release, rpm:exists_check))) &&\n rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n var extra = NULL;\n if (empty_or_null(applicable_repo_urls)) extra = rpm_report_get() + redhat_report_repo_caveat();\n else extra = rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'rh-java-common-apache-commons-beanutils / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:56:02", "description": "In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean. (CVE-2019-10086)", "cvss3": {}, "published": "2020-02-24T00:00:00", "type": "nessus", "title": "Amazon Linux 2 : apache-commons-beanutils (ALAS-2020-1395)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-10086"], "modified": "2022-12-06T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:apache-commons-beanutils", "p-cpe:/a:amazon:linux:apache-commons-beanutils-javadoc", "cpe:/o:amazon:linux:2"], "id": "AL2_ALAS-2020-1395.NASL", "href": "https://www.tenable.com/plugins/nessus/133867", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux 2 Security Advisory ALAS-2020-1395.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(133867);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/06\");\n\n script_cve_id(\"CVE-2019-10086\");\n script_xref(name:\"ALAS\", value:\"2020-1395\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0004\");\n\n script_name(english:\"Amazon Linux 2 : apache-commons-beanutils (ALAS-2020-1395)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Amazon Linux 2 host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class\nwas added which allows suppressing the ability for an attacker to\naccess the classloader via the class property available on all Java\nobjects. We, however were not using this by default characteristic of\nthe PropertyUtilsBean. (CVE-2019-10086)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/AL2/ALAS-2020-1395.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Run 'yum update apache-commons-beanutils' to update your system.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/08/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/02/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/02/24\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:apache-commons-beanutils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:apache-commons-beanutils-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux:2\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"2\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux 2\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"AL2\", reference:\"apache-commons-beanutils-1.8.3-15.amzn2\")) flag++;\nif (rpm_check(release:\"AL2\", reference:\"apache-commons-beanutils-javadoc-1.8.3-15.amzn2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"apache-commons-beanutils / apache-commons-beanutils-javadoc\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:00:34", "description": "The IBM WebSphere Application Server running on the remote host is version 7.0 prior to 7.0.0.46, 8.0 prior to 8.0.0.16, 8.5 prior to 8.5.5.18, 9.0 prior to 9.0.5.4, or 17.0.0.3 (Liberty) prior to 20.0.0.5 could allow a remote, authenticated attacker to obtain sensitive information, caused by improper parameter checking. This could be exploited to conduct spoofing attacks. (CVE-2020-4329).\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2020-05-08T00:00:00", "type": "nessus", "title": "IBM WebSphere Application Server 7.0 < 7.0.0.46 / 8.0 < 8.0.0.16 / 8.5 < 8.5.5.18 / 9.0 < 9.0.5.4 / Liberty 17.0.0.3 < 20.0.0.5 Information Disclosure", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-4329"], "modified": "2021-09-24T00:00:00", "cpe": ["cpe:/a:ibm:websphere_application_server"], "id": "WEBSPHERE_6201862.NASL", "href": "https://www.tenable.com/plugins/nessus/136410", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(136410);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/09/24\");\n\n script_cve_id(\"CVE-2020-4329\");\n script_xref(name:\"IAVA\", value:\"2020-A-0192-S\");\n\n script_name(english:\"IBM WebSphere Application Server 7.0 < 7.0.0.46 / 8.0 < 8.0.0.16 / 8.5 < 8.5.5.18 / 9.0 < 9.0.5.4 / Liberty 17.0.0.3 < 20.0.0.5 Information Disclosure\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web application server is affected by an information\ndisclosure vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The IBM WebSphere Application Server running on the remote host is version 7.0 prior to 7.0.0.46, 8.0 prior to 8.0.0.16, \n8.5 prior to 8.5.5.18, 9.0 prior to 9.0.5.4, or 17.0.0.3 (Liberty) prior to 20.0.0.5 could allow a remote, authenticated \nattacker to obtain sensitive information, caused by improper parameter checking. This could be exploited to conduct \nspoofing attacks. (CVE-2020-4329).\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.ibm.com/support/pages/node/6201862\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the Fix Pack recommended in the vendor advisory. Alternatively, upgrade to the minimal fix pack levels required\nby the interim fix and then apply Interim Fix PH20847.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-4329\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/04/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/04/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/05/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:ibm:websphere_application_server\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Web Servers\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"websphere_detect.nasl\", \"ibm_enum_products.nbin\", \"ibm_websphere_application_server_nix_installed.nbin\");\n script_require_keys(\"installed_sw/IBM WebSphere Application Server\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\napp = 'IBM WebSphere Application Server';\nfix = 'Interim Fix PH20847';\n\nget_install_count(app_name:app, exit_if_zero:TRUE);\napp_info = vcf::combined_get_app_info(app:app);\nvcf::check_granularity(app_info:app_info, sig_segments:4);\n\n# If the detection is only remote, Source will be set, and we should require paranoia\nif (!empty_or_null(app_info['Source']) && app_info['Source'] != 'unknown' && report_paranoia < 2)\n audit(AUDIT_PARANOID);\n\nif ('PH20847' >< app_info['Fixes'])\n audit(AUDIT_INST_VER_NOT_VULN, app);\n\nconstraints = [\n {'min_version':'7.0.0.0', 'max_version':'7.0.0.45', 'fixed_version':'7.0.0.46 or ' + fix},\n {'min_version':'8.0.0.0', 'max_version':'8.0.0.15', 'fixed_version':'8.0.0.16 or ' + fix},\n {'min_version':'8.5.0.0', 'max_version':'8.5.5.17', 'fixed_version':'8.5.5.18 or ' + fix},\n {'min_version':'9.0.0.0', 'max_version':'9.0.5.3', 'fixed_version':'9.0.5.4 or ' + fix},\n {'min_version':'17.0.0.3', 'max_version':'20.0.0.4', 'fixed_version':'20.0.0.5 or ' + fix}\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-26T14:18:54", "description": "The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:1308 advisory.\n\n - apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default (CVE-2019-10086)\n\n - nimbus-jose-jwt: Uncaught exceptions while parsing a JWT (CVE-2019-17195)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2020-04-02T00:00:00", "type": "nessus", "title": "RHEL 7 : Red Hat Virtualization Engine security, bug fix 4.3.9 (Low) (RHSA-2020:1308)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-10086", "CVE-2019-17195"], "modified": "2023-05-25T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:7", "p-cpe:/a:redhat:enterprise_linux:apache-commons-beanutils", "p-cpe:/a:redhat:enterprise_linux:apache-commons-beanutils-javadoc", "p-cpe:/a:redhat:enterprise_linux:ovirt-engine", "p-cpe:/a:redhat:enterprise_linux:ovirt-engine-backend", "p-cpe:/a:redhat:enterprise_linux:ovirt-engine-dbscripts", "p-cpe:/a:redhat:enterprise_linux:ovirt-engine-extension-aaa-misc", "p-cpe:/a:redhat:enterprise_linux:ovirt-engine-extensions-api-impl", "p-cpe:/a:redhat:enterprise_linux:ovirt-engine-extensions-api-impl-javadoc", "p-cpe:/a:redhat:enterprise_linux:ovirt-engine-health-check-bundler", "p-cpe:/a:redhat:enterprise_linux:ovirt-engine-restapi", "p-cpe:/a:redhat:enterprise_linux:ovirt-engine-setup", "p-cpe:/a:redhat:enterprise_linux:ovirt-engine-setup-base", "p-cpe:/a:redhat:enterprise_linux:ovirt-engine-setup-plugin-cinderlib", "p-cpe:/a:redhat:enterprise_linux:ovirt-engine-setup-plugin-ovirt-engine", "p-cpe:/a:redhat:enterprise_linux:ovirt-engine-setup-plugin-ovirt-engine-common", "p-cpe:/a:redhat:enterprise_linux:ovirt-engine-setup-plugin-vmconsole-proxy-helper", "p-cpe:/a:redhat:enterprise_linux:ovirt-engine-setup-plugin-websocket-proxy", "p-cpe:/a:redhat:enterprise_linux:ovirt-engine-tools", "p-cpe:/a:redhat:enterprise_linux:ovirt-engine-tools-backup", "p-cpe:/a:redhat:enterprise_linux:ovirt-engine-vmconsole-proxy-helper", "p-cpe:/a:redhat:enterprise_linux:ovirt-engine-webadmin-portal", "p-cpe:/a:redhat:enterprise_linux:ovirt-engine-websocket-proxy", "p-cpe:/a:redhat:enterprise_linux:ovirt-fast-forward-upgrade", "p-cpe:/a:redhat:enterprise_linux:python2-ovirt-engine-lib", "p-cpe:/a:redhat:enterprise_linux:rhvm", "p-cpe:/a:redhat:enterprise_linux:rhvm-dependencies"], "id": "REDHAT-RHSA-2020-1308.NASL", "href": "https://www.tenable.com/plugins/nessus/135185", "sourceData": "##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2020:1308. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(135185);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/25\");\n\n script_cve_id(\"CVE-2019-10086\", \"CVE-2019-17195\");\n script_xref(name:\"RHSA\", value:\"2020:1308\");\n script_xref(name:\"IAVA\", value:\"2020-A-0140\");\n script_xref(name:\"IAVA\", value:\"2020-A-0328\");\n script_xref(name:\"IAVA\", value:\"2021-A-0196\");\n script_xref(name:\"IAVA\", value:\"2021-A-0035-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0326\");\n script_xref(name:\"IAVA\", value:\"2021-A-0328\");\n script_xref(name:\"IAVA\", value:\"2021-A-0347\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0004\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n\n script_name(english:\"RHEL 7 : Red Hat Virtualization Engine security, bug fix 4.3.9 (Low) (RHSA-2020:1308)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as\nreferenced in the RHSA-2020:1308 advisory.\n\n - apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default\n (CVE-2019-10086)\n\n - nimbus-jose-jwt: Uncaught exceptions while parsing a JWT (CVE-2019-17195)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-10086\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-17195\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2020:1308\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1764791\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1767483\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-10086\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2019-17195\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(248, 502);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/08/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/04/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/04/02\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:apache-commons-beanutils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:apache-commons-beanutils-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ovirt-engine\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ovirt-engine-backend\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ovirt-engine-dbscripts\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ovirt-engine-extension-aaa-misc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ovirt-engine-extensions-api-impl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ovirt-engine-extensions-api-impl-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ovirt-engine-health-check-bundler\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ovirt-engine-restapi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ovirt-engine-setup\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ovirt-engine-setup-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ovirt-engine-setup-plugin-cinderlib\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ovirt-engine-setup-plugin-ovirt-engine\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ovirt-engine-setup-plugin-ovirt-engine-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ovirt-engine-setup-plugin-vmconsole-proxy-helper\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ovirt-engine-setup-plugin-websocket-proxy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ovirt-engine-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ovirt-engine-tools-backup\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ovirt-engine-vmconsole-proxy-helper\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ovirt-engine-webadmin-portal\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ovirt-engine-websocket-proxy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ovirt-fast-forward-upgrade\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python2-ovirt-engine-lib\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rhvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rhvm-dependencies\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"redhat_repos.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/RedHat/release');\nif (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');\nvar os_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nos_ver = os_ver[1];\nif (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '7')) audit(AUDIT_OS_NOT, 'Red Hat 7.x', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nvar constraints = [\n {\n 'repo_relative_urls': [\n 'content/dist/rhel-alt/server/7/7Server/power9/ppc64le/rhv-mgmt-agent/4/debug',\n 'content/dist/rhel-alt/server/7/7Server/power9/ppc64le/rhv-mgmt-agent/4/os',\n 'content/dist/rhel-alt/server/7/7Server/power9/ppc64le/rhv-mgmt-agent/4/source/SRPMS',\n 'content/dist/rhel/power-le/7/7.3/ppc64le/rhev-mgmt-agent/3/debug',\n 'content/dist/rhel/power-le/7/7.3/ppc64le/rhev-mgmt-agent/3/os',\n 'content/dist/rhel/power-le/7/7.3/ppc64le/rhev-mgmt-agent/3/source/SRPMS',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/rhev-mgmt-agent/3/debug',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/rhev-mgmt-agent/3/os',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/rhev-mgmt-agent/3/source/SRPMS',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/rhev-tools/3/debug',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/rhev-tools/3/os',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/rhev-tools/3/source/SRPMS',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/rhv-mgmt-agent/4/debug',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/rhv-mgmt-agent/4/os',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/rhv-mgmt-agent/4/source/SRPMS',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/rhv-tools/4/debug',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/rhv-tools/4/os',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/rhv-tools/4/source/SRPMS',\n 'content/dist/rhel/power/7/7Server/ppc64/rhev-tools/3/debug',\n 'content/dist/rhel/power/7/7Server/ppc64/rhev-tools/3/os',\n 'content/dist/rhel/power/7/7Server/ppc64/rhev-tools/3/source/SRPMS',\n 'content/dist/rhel/server/7/7.3/x86_64/rhev-mgmt-agent/3/debug',\n 'content/dist/rhel/server/7/7.3/x86_64/rhev-mgmt-agent/3/os',\n 'content/dist/rhel/server/7/7.3/x86_64/rhev-mgmt-agent/3/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/rhev-mgmt-agent/3/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/rhev-mgmt-agent/3/os',\n 'content/dist/rhel/server/7/7Server/x86_64/rhev-mgmt-agent/3/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/rhevh/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/rhevh/os',\n 'content/dist/rhel/server/7/7Server/x86_64/rhevh/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/rhv-manager-tools/4/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/rhv-manager-tools/4/os',\n 'content/dist/rhel/server/7/7Server/x86_64/rhv-manager-tools/4/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/rhv-manager/4.0/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/rhv-manager/4.0/os',\n 'content/dist/rhel/server/7/7Server/x86_64/rhv-manager/4.0/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/rhv-manager/4.1/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/rhv-manager/4.1/os',\n 'content/dist/rhel/server/7/7Server/x86_64/rhv-manager/4.1/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/rhv-manager/4.2/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/rhv-manager/4.2/os',\n 'content/dist/rhel/server/7/7Server/x86_64/rhv-manager/4.2/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/rhv-manager/4.3/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/rhv-manager/4.3/os',\n 'content/dist/rhel/server/7/7Server/x86_64/rhv-manager/4.3/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/rhv-mgmt-agent/4.3/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/rhv-mgmt-agent/4.3/os',\n 'content/dist/rhel/server/7/7Server/x86_64/rhv-mgmt-agent/4.3/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/rhv-mgmt-agent/4/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/rhv-mgmt-agent/4/os',\n 'content/dist/rhel/server/7/7Server/x86_64/rhv-mgmt-agent/4/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/rhv-power/4/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/rhv-power/4/os',\n 'content/dist/rhel/server/7/7Server/x86_64/rhv-power/4/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/rhv-tools/4/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/rhv-tools/4/os',\n 'content/dist/rhel/server/7/7Server/x86_64/rhv-tools/4/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/rhv/4.0/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/rhv/4.0/os',\n 'content/dist/rhel/server/7/7Server/x86_64/rhv/4.0/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/rhv/4.1/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/rhv/4.1/os',\n 'content/dist/rhel/server/7/7Server/x86_64/rhv/4.1/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/rhvh-build/4.3/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/rhvh-build/4.3/os',\n 'content/dist/rhel/server/7/7Server/x86_64/rhvh-build/4.3/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/rhvh-build/4/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/rhvh-build/4/os',\n 'content/dist/rhel/server/7/7Server/x86_64/rhvh-build/4/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/rhvh/4.3/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/rhvh/4.3/os',\n 'content/dist/rhel/server/7/7Server/x86_64/rhvh/4.3/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/rhvh/4/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/rhvh/4/os',\n 'content/dist/rhel/server/7/7Server/x86_64/rhvh/4/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'ovirt-engine-4.3.9.3-0.1.el7', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'redhat-release-virtualization-host-4'},\n {'reference':'ovirt-engine-backend-4.3.9.3-0.1.el7', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'redhat-release-virtualization-host-4'},\n {'reference':'ovirt-engine-dbscripts-4.3.9.3-0.1.el7', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'redhat-release-virtualization-host-4'},\n {'reference':'ovirt-engine-extension-aaa-misc-1.0.4-1.el7ev', 'release':'7', 'el_string':'el7ev', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'redhat-release-virtualization-host-4'},\n {'reference':'ovirt-engine-extensions-api-impl-4.3.9.3-0.1.el7', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'redhat-release-virtualization-host-4'},\n {'reference':'ovirt-engine-extensions-api-impl-javadoc-4.3.9.3-0.1.el7', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'redhat-release-virtualization-host-4'},\n {'reference':'ovirt-engine-health-check-bundler-4.3.9.3-0.1.el7', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'redhat-release-virtualization-host-4'},\n {'reference':'ovirt-engine-restapi-4.3.9.3-0.1.el7', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'redhat-release-virtualization-host-4'},\n {'reference':'ovirt-engine-setup-4.3.9.3-0.1.el7', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'redhat-release-virtualization-host-4'},\n {'reference':'ovirt-engine-setup-base-4.3.9.3-0.1.el7', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'redhat-release-virtualization-host-4'},\n {'reference':'ovirt-engine-setup-plugin-cinderlib-4.3.9.3-0.1.el7', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'redhat-release-virtualization-host-4'},\n {'reference':'ovirt-engine-setup-plugin-ovirt-engine-4.3.9.3-0.1.el7', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'redhat-release-virtualization-host-4'},\n {'reference':'ovirt-engine-setup-plugin-ovirt-engine-common-4.3.9.3-0.1.el7', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'redhat-release-virtualization-host-4'},\n {'reference':'ovirt-engine-setup-plugin-vmconsole-proxy-helper-4.3.9.3-0.1.el7', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'redhat-release-virtualization-host-4'},\n {'reference':'ovirt-engine-setup-plugin-websocket-proxy-4.3.9.3-0.1.el7', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'redhat-release-virtualization-host-4'},\n {'reference':'ovirt-engine-tools-4.3.9.3-0.1.el7', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'redhat-release-virtualization-host-4'},\n {'reference':'ovirt-engine-tools-backup-4.3.9.3-0.1.el7', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'redhat-release-virtualization-host-4'},\n {'reference':'ovirt-engine-vmconsole-proxy-helper-4.3.9.3-0.1.el7', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'redhat-release-virtualization-host-4'},\n {'reference':'ovirt-engine-webadmin-portal-4.3.9.3-0.1.el7', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'redhat-release-virtualization-host-4'},\n {'reference':'ovirt-engine-websocket-proxy-4.3.9.3-0.1.el7', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'redhat-release-virtualization-host-4'},\n {'reference':'ovirt-fast-forward-upgrade-1.0.0-17.el7ev', 'release':'7', 'el_string':'el7ev', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'redhat-release-virtualization-host-4'},\n {'reference':'python2-ovirt-engine-lib-4.3.9.3-0.1.el7', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'redhat-release-virtualization-host-4'},\n {'reference':'rhvm-4.3.9.3-0.1.el7', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'redhat-release-virtualization-host-4'},\n {'reference':'rhvm-dependencies-4.3.2-1.el7ev', 'release':'7', 'el_string':'el7ev', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'redhat-release-virtualization-host-4'}\n ]\n },\n {\n 'repo_relative_urls': [\n 'content/dist/rhel-alt/server/7/7Server/power9/ppc64le/rhv-mgmt-agent/4/debug',\n 'content/dist/rhel-alt/server/7/7Server/power9/ppc64le/rhv-mgmt-agent/4/os',\n 'content/dist/rhel-alt/server/7/7Server/power9/ppc64le/rhv-mgmt-agent/4/source/SRPMS',\n 'content/dist/rhel/power-le/7/7.3/ppc64le/rhev-mgmt-agent/3/debug',\n 'content/dist/rhel/power-le/7/7.3/ppc64le/rhev-mgmt-agent/3/os',\n 'content/dist/rhel/power-le/7/7.3/ppc64le/rhev-mgmt-agent/3/source/SRPMS',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/rhev-mgmt-agent/3/debug',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/rhev-mgmt-agent/3/os',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/rhev-mgmt-agent/3/source/SRPMS',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/rhev-tools/3/debug',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/rhev-tools/3/os',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/rhev-tools/3/source/SRPMS',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/rhv-mgmt-agent/4/debug',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/rhv-mgmt-agent/4/os',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/rhv-mgmt-agent/4/source/SRPMS',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/rhv-tools/4/debug',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/rhv-tools/4/os',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/rhv-tools/4/source/SRPMS',\n 'content/dist/rhel/power/7/7Server/ppc64/rhev-tools/3/debug',\n 'content/dist/rhel/power/7/7Server/ppc64/rhev-tools/3/os',\n 'content/dist/rhel/power/7/7Server/ppc64/rhev-tools/3/source/SRPMS',\n 'content/dist/rhel/server/7/7.3/x86_64/rhev-mgmt-agent/3/debug',\n 'content/dist/rhel/server/7/7.3/x86_64/rhev-mgmt-agent/3/os',\n 'content/dist/rhel/server/7/7.3/x86_64/rhev-mgmt-agent/3/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/rhev-mgmt-agent/3/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/rhev-mgmt-agent/3/os',\n 'content/dist/rhel/server/7/7Server/x86_64/rhev-mgmt-agent/3/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/rhevh/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/rhevh/os',\n 'content/dist/rhel/server/7/7Server/x86_64/rhevh/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/rhv-manager-tools/4/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/rhv-manager-tools/4/os',\n 'content/dist/rhel/server/7/7Server/x86_64/rhv-manager-tools/4/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/rhv-mgmt-agent/4.3/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/rhv-mgmt-agent/4.3/os',\n 'content/dist/rhel/server/7/7Server/x86_64/rhv-mgmt-agent/4.3/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/rhv-mgmt-agent/4/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/rhv-mgmt-agent/4/os',\n 'content/dist/rhel/server/7/7Server/x86_64/rhv-mgmt-agent/4/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/rhv-tools/4/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/rhv-tools/4/os',\n 'content/dist/rhel/server/7/7Server/x86_64/rhv-tools/4/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/rhvh-build/4.3/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/rhvh-build/4.3/os',\n 'content/dist/rhel/server/7/7Server/x86_64/rhvh-build/4.3/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/rhvh-build/4/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/rhvh-build/4/os',\n 'content/dist/rhel/server/7/7Server/x86_64/rhvh-build/4/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/rhvh/4.3/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/rhvh/4.3/os',\n 'content/dist/rhel/server/7/7Server/x86_64/rhvh/4.3/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/rhvh/4/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/rhvh/4/os',\n 'content/dist/rhel/server/7/7Server/x86_64/rhvh/4/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'apache-commons-beanutils-1.8.3-15.el7_7', 'release':'7', 'el_string':'el7_7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'redhat-release-virtualization-host-4'},\n {'reference':'apache-commons-beanutils-javadoc-1.8.3-15.el7_7', 'release':'7', 'el_string':'el7_7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'redhat-release-virtualization-host-4'}\n ]\n }\n];\n\nvar applicable_repo_urls = rhel_determine_applicable_repository_urls(constraints:constraints);\nif(applicable_repo_urls == RHEL_REPOS_NO_OVERLAP_MESSAGE) exit(0, RHEL_REPO_NOT_ENABLED);\n\nvar flag = 0;\nforeach var constraint_array ( constraints ) {\n var repo_relative_urls = NULL;\n if (!empty_or_null(constraint_array['repo_relative_urls'])) repo_relative_urls = constraint_array['repo_relative_urls'];\n foreach var pkg ( constraint_array['pkgs'] ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];\n if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];\n if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];\n if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];\n if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];\n if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];\n if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];\n if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];\n if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];\n if (reference &&\n _release &&\n rhel_decide_repo_relative_url_check(required_repo_url_list:repo_relative_urls) &&\n (applicable_repo_urls || (!exists_check || rpm_exists(release:_release, rpm:exists_check))) &&\n rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n var extra = NULL;\n if (empty_or_null(applicable_repo_urls)) extra = rpm_report_get() + redhat_report_repo_caveat();\n else extra = rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'apache-commons-beanutils / apache-commons-beanutils-javadoc / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:24:20", "description": "The version of Oracle WebCenter Portal installed on the remote host is missing a security patch from the January 2021 Critical Patch Update (CPU). It is, therefore, affected by the following vulnerabilities :\n\n - Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Portlet Services (dom4j)). The supported version that is affected is 11.1.1.9.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Portal.\n Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Portal. (CVE-2020-10683)\n\n - Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework (Apache Commons BeanUtils)). Supported versions that are affected are 11.1.1.9.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Portal. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebCenter Portal accessible data as well as unauthorized read access to a subset of Oracle WebCenter Portal accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle WebCenter Portal. (CVE-2019-10086)\n\nNote that Nessus has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-02-02T00:00:00", "type": "nessus", "title": "Oracle WebCenter Portal Multiple Vulnerabilities (Jan 2021 CPU)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-10086", "CVE-2020-10683"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/a:oracle:fusion_middleware", "cpe:/a:oracle:webcenter_portal"], "id": "ORACLE_WEBCENTER_PORTAL_CPU_JAN_2021.NASL", "href": "https://www.tenable.com/plugins/nessus/146048", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(146048);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2019-10086\", \"CVE-2020-10683\");\n script_xref(name:\"IAVA\", value:\"2021-A-0326\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0004\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n\n script_name(english:\"Oracle WebCenter Portal Multiple Vulnerabilities (Jan 2021 CPU)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An application server installed on the remote host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Oracle WebCenter Portal installed on the remote host is missing a security patch from the January 2021\nCritical Patch Update (CPU). It is, therefore, affected by the following vulnerabilities :\n\n - Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Portlet\n Services (dom4j)). The supported version that is affected is 11.1.1.9.0. Easily exploitable vulnerability\n allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Portal.\n Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Portal. (CVE-2020-10683)\n\n - Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security\n Framework (Apache Commons BeanUtils)). Supported versions that are affected are 11.1.1.9.0, 12.2.1.3.0 and\n 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP\n to compromise Oracle WebCenter Portal. Successful attacks of this vulnerability can result in unauthorized\n update, insert or delete access to some of Oracle WebCenter Portal accessible data as well as unauthorized\n read access to a subset of Oracle WebCenter Portal accessible data and unauthorized ability to cause a\n partial denial of service (partial DOS) of Oracle WebCenter Portal. (CVE-2019-10086)\n\nNote that Nessus has not attempted to exploit these issues but has instead relied only on the application's\nself-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.oracle.com/security-alerts/cpujan2021.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate patch according to the January 2021 Oracle Critical Patch Update advisory.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-10683\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/05/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/02/02\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:fusion_middleware\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:webcenter_portal\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"oracle_webcenter_portal_installed.nbin\");\n script_require_keys(\"installed_sw/Oracle WebCenter Portal\");\n\n exit(0);\n}\n\ninclude('vcf_extras_oracle_webcenter_portal.inc');\n\nvar app_info = vcf::oracle_webcenter_portal::get_app_info();\n\nvar constraints = [\n {'min_version' : '11.1.1.9', 'fixed_version' : '11.1.1.9.210115'},\n {'min_version' : '12.2.1.3', 'fixed_version' : '12.2.1.3.201202'},\n {'min_version' : '12.2.1.4', 'fixed_version' : '12.2.1.4.201126'}\n];\n\nvcf::oracle_webcenter_portal::check_version_and_report(\n app_info:app_info,\n constraints:constraints,\n severity:SECURITY_HOLE\n);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:23:50", "description": "MySQL Enterprise Monitor installed on the remote host is 8.0.x prior to 8.0.23. Therefore, it's affected by multiple vulnerabilities as referenced in the January 2021 CPU advisory.\n\n - Vulnerability in the MySQL Enterprise Monitor product of Oracle MySQL (component: Service Manager (Apache Commons BeanUtils)). Supported versions that are affected are 8.0.22 and prior. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise MySQL Enterprise Monitor. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Enterprise Monitor accessible data as well as unauthorized read access to a subset of MySQL Enterprise Monitor accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Enterprise Monitor. (CVE-2019-10086)\n\n - Vulnerability in the MySQL Enterprise Monitor product of Oracle MySQL (component: Service Manager (Spring Framework)). Supported versions that are affected are 8.0.22 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTPS to compromise MySQL Enterprise Monitor.\n Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Enterprise Monitor, attacks may significantly impact additional products.\n Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all MySQL Enterprise Monitor accessible data as well as unauthorized read access to a subset of MySQL Enterprise Monitor accessible data. (CVE-2020-5421)\n\n - Vulnerability in the MySQL Enterprise Monitor product of Oracle MySQL (component: Service Manager (Spring Security)). Supported versions that are affected are 8.0.22 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise MySQL Enterprise Monitor.\n Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Enterprise Monitor accessible data. (CVE-2020-5408)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-01-28T00:00:00", "type": "nessus", "title": "Oracle MySQL Enterprise Monitor Multiple Vulnerabilities (Jan 2021 CPU)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-10086", "CVE-2020-5408", "CVE-2020-5421"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/a:oracle:mysql_enterprise_monitor"], "id": "MYSQL_ENTERPRISE_MONITOR_8_0_23.NASL", "href": "https://www.tenable.com/plugins/nessus/145538", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(145538);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2019-10086\", \"CVE-2020-5408\", \"CVE-2020-5421\");\n script_xref(name:\"IAVA\", value:\"2021-A-0038\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0004\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n\n script_name(english:\"Oracle MySQL Enterprise Monitor Multiple Vulnerabilities (Jan 2021 CPU)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is affected by multiple vulnerabilities\");\n script_set_attribute(attribute:\"description\", value:\n\"MySQL Enterprise Monitor installed on the remote host is 8.0.x prior to 8.0.23. Therefore, it's affected by \nmultiple vulnerabilities as referenced in the January 2021 CPU advisory.\n\n - Vulnerability in the MySQL Enterprise Monitor product of Oracle MySQL (component: Service Manager (Apache\n Commons BeanUtils)). Supported versions that are affected are 8.0.22 and prior. Easily exploitable\n vulnerability allows unauthenticated attacker with network access via HTTPS to compromise MySQL Enterprise\n Monitor. Successful attacks of this vulnerability can result in unauthorized update, insert or delete\n access to some of MySQL Enterprise Monitor accessible data as well as unauthorized read access to a subset\n of MySQL Enterprise Monitor accessible data and unauthorized ability to cause a partial denial of service\n (partial DOS) of MySQL Enterprise Monitor. (CVE-2019-10086)\n\n - Vulnerability in the MySQL Enterprise Monitor product of Oracle MySQL (component: Service Manager (Spring\n Framework)). Supported versions that are affected are 8.0.22 and prior. Difficult to exploit vulnerability\n allows low privileged attacker with network access via HTTPS to compromise MySQL Enterprise Monitor.\n Successful attacks require human interaction from a person other than the attacker and while the\n vulnerability is in MySQL Enterprise Monitor, attacks may significantly impact additional products.\n Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification\n access to critical data or all MySQL Enterprise Monitor accessible data as well as unauthorized read\n access to a subset of MySQL Enterprise Monitor accessible data. (CVE-2020-5421)\n\n - Vulnerability in the MySQL Enterprise Monitor product of Oracle MySQL (component: Service Manager (Spring\n Security)). Supported versions that are affected are 8.0.22 and prior. Easily exploitable vulnerability\n allows low privileged attacker with network access via HTTPS to compromise MySQL Enterprise Monitor.\n Successful attacks of this vulnerability can result in unauthorized access to critical data or complete\n access to all MySQL Enterprise Monitor accessible data. (CVE-2020-5408)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.oracle.com/a/tech/docs/cpujan2021cvrf.xml\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.oracle.com/security-alerts/cpujan2021.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate patch according to the January 2021 Oracle Critical Patch Update advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-10086\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/08/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/28\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:mysql_enterprise_monitor\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"mysql_enterprise_monitor_web_detect.nasl\");\n script_require_keys(\"installed_sw/MySQL Enterprise Monitor\");\n script_require_ports(\"Services/www\", 18443);\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('http.inc');\n\nport = get_http_port(default:18443);\napp_info = vcf::get_app_info(app:'MySQL Enterprise Monitor', port:port, webapp:true);\n\nconstraints = [\n { 'min_version' : '8.0', 'fixed_version' : '8.0.23' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-17T16:36:26", "description": "The versions of Oracle E-Business Suite installed on the remote host are affected by multiple vulnerabilities as referenced in the October 2022 CPU advisory.\n\n - Vulnerability in the Oracle Web Applications Desktop Integrator product of Oracle E-Business Suite (component: Upload). Supported versions that are affected are 12.2.3-12.2.11. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Web Applications Desktop Integrator. Successful attacks of this vulnerability can result in takeover of Oracle Web Applications Desktop Integrator. (CVE-2022-21587, CVE-2022-39428)\n\n - Vulnerability in the Oracle Human Resources product of Oracle E-Business Suite (component: Common Modules (Apache Commons BeanUtils)). Supported versions that are affected are 12.2.3-12.2.11. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Human Resources. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Human Resources accessible data as well as unauthorized read access to a subset of Oracle Human Resources accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Human Resources. (CVE-2019-10086)\n\n - Vulnerability in the Oracle Applications Framework product of Oracle E-Business Suite (component: Session Management). Supported versions that are affected are 12.2.6-12.2.11. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Applications Framework.\n Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Applications Framework accessible data. (CVE-2022-21636)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-10-20T00:00:00", "type": "nessus", "title": "Oracle E-Business Suite (Oct 2022 CPU)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-10086", "CVE-2022-21587", "CVE-2022-21636", "CVE-2022-39428"], "modified": "2023-03-01T00:00:00", "cpe": ["cpe:/a:oracle:e-business_suite"], "id": "ORACLE_E-BUSINESS_CPU_OCT_2022.NASL", "href": "https://www.tenable.com/plugins/nessus/166317", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(166317);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/03/01\");\n\n script_cve_id(\n \"CVE-2019-10086\",\n \"CVE-2022-21587\",\n \"CVE-2022-21636\",\n \"CVE-2022-39428\"\n );\n script_xref(name:\"IAVA\", value:\"2022-A-0425\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0004\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2023/02/23\");\n\n script_name(english:\"Oracle E-Business Suite (Oct 2022 CPU)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is affected by multiple vulnerabilities\");\n script_set_attribute(attribute:\"description\", value:\n\"The versions of Oracle E-Business Suite installed on the remote host are affected by multiple vulnerabilities as\nreferenced in the October 2022 CPU advisory.\n\n - Vulnerability in the Oracle Web Applications Desktop Integrator product of Oracle E-Business Suite\n (component: Upload). Supported versions that are affected are 12.2.3-12.2.11. Easily exploitable\n vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Web\n Applications Desktop Integrator. Successful attacks of this vulnerability can result in takeover of Oracle\n Web Applications Desktop Integrator. (CVE-2022-21587, CVE-2022-39428)\n\n - Vulnerability in the Oracle Human Resources product of Oracle E-Business Suite (component: Common Modules\n (Apache Commons BeanUtils)). Supported versions that are affected are 12.2.3-12.2.11. Easily exploitable\n vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Human\n Resources. Successful attacks of this vulnerability can result in unauthorized update, insert or delete\n access to some of Oracle Human Resources accessible data as well as unauthorized read access to a subset\n of Oracle Human Resources accessible data and unauthorized ability to cause a partial denial of service\n (partial DOS) of Oracle Human Resources. (CVE-2019-10086)\n\n - Vulnerability in the Oracle Applications Framework product of Oracle E-Business Suite (component: Session\n Management). Supported versions that are affected are 12.2.6-12.2.11. Easily exploitable vulnerability\n allows low privileged attacker with network access via HTTP to compromise Oracle Applications Framework.\n Successful attacks of this vulnerability can result in unauthorized access to critical data or complete\n access to all Oracle Applications Framework accessible data. (CVE-2022-21636)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.oracle.com/docs/tech/security-alerts/cpuoct2022cvrf.xml\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.oracle.com/security-alerts/cpuoct2022.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate patch according to the October 2022 Oracle Critical Patch Update advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-10086\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-39428\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Oracle E-Business Suite (EBS) Unauthenticated Arbitrary File Upload');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/10/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/10/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/10/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:e-business_suite\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"oracle_e-business_query_patch_info.nbin\");\n script_require_keys(\"Oracle/E-Business/Version\", \"Oracle/E-Business/patches/installed\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras_oracle.inc');\n\nvar app_info = vcf::oracle_ebusiness::get_app_info();\n\nvar constraints = [\n { 'min_version' : '12.2.3', 'max_version' : '12.2.3.99999999', 'fix_patches' : '34450992, 34700264' },\n { 'min_version' : '12.2.4', 'max_version' : '12.2.4.99999999', 'fix_patches' : '34450992, 34700264, 34291981' },\n { 'min_version' : '12.2.5', 'max_version' : '12.2.5.99999999', 'fix_patches' : '34450992, 34700264, 34291981' },\n { 'min_version' : '12.2.6', 'max_version' : '12.2.6.99999999', 'fix_patches' : '34450992, 34461755, 34534507, 34291981' },\n { 'min_version' : '12.2.7', 'max_version' : '12.2.7.99999999', 'fix_patches' : '34450992, 34285063, 34556525, 34291981' },\n { 'min_version' : '12.2.8', 'max_version' : '12.2.8.99999999', 'fix_patches' : '34450992, 34285063, 34556525, 34291981' },\n { 'min_version' : '12.2.9', 'max_version' : '12.2.9.99999999', 'fix_patches' : '34450992, 34461761, 34556525, 34291981' },\n { 'min_version' : '12.2.10', 'max_version' : '12.2.10.99999999', 'fix_patches' : '34450992, 34461765, 34556525, 34291981' },\n { 'min_version' : '12.2.11', 'max_version' : '12.2.11.99999999', 'fix_patches' : '34450992, 34461768, 34556525, 34291981' }\n];\n\nvcf::oracle_ebusiness::check_version_and_report(\n app_info:app_info,\n constraints:constraints,\n severity:SECURITY_HOLE,\n fix_date:'202210'\n);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-06-03T14:27:26", "description": "According to its self-reported version number, the Oracle Primavera Unifier installation running on the remote host is 16.x prior to 16.2.16.4 or 17.x prior to 17.12.11.6 or 18.x prior to 18.8.18.3 or 19.x prior to 19.12.13 or 20.x prior to 20.12.1. It is, therefore, affected by multiple vulnerabilities as referenced in the January 2021 CPU advisory.\n\n - Vulnerability in the Primavera Unifier product of Oracle Construction and Engineering (component: Platform (MPXJ)). Supported versions that are affected are 16.1, 16.2, 17.7-17.12, 18.8, 19.12 and 20.12. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Primavera Unifier. Successful attacks of this vulnerability can result in takeover of Primavera Unifier.\n (CVE-2020-25020)\n\n - Vulnerability in the Primavera Unifier product of Oracle Construction and Engineering (component: Core, Config (Apache Ant)). Supported versions that are affected are 16.1, 16.2, 17.7-17.12, 18.8, 19.12 and 20.12. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Primavera Unifier. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Primavera Unifier accessible data.\n (CVE-2020-11979)\n\n - Vulnerability in the Primavera Unifier product of Oracle Construction and Engineering (component: Core (Apache Commons BeanUtils)). Supported versions that are affected are 16.1, 16.2, 17.7-17.12, 18.8, 19.12 and 20.12. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Primavera Unifier. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Primavera Unifier accessible data as well as unauthorized read access to a subset of Primavera Unifier accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Primavera Unifier. (CVE-2019-10086)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-01-29T00:00:00", "type": "nessus", "title": "Oracle Primavera Unifier (Jan 2021 CPU)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-10086", "CVE-2020-11979", "CVE-2020-25020", "CVE-2020-35460"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/a:oracle:primavera_unifier"], "id": "ORACLE_PRIMAVERA_UNIFIER_CPU_JAN_2021.NASL", "href": "https://www.tenable.com/plugins/nessus/145569", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(145569);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2019-10086\",\n \"CVE-2020-11979\",\n \"CVE-2020-25020\",\n \"CVE-2020-35460\"\n );\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0004\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n\n script_name(english:\"Oracle Primavera Unifier (Jan 2021 CPU)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is affected by multiple vulnerabilities\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version number, the Oracle Primavera Unifier installation running on the remote host is\n16.x prior to 16.2.16.4 or 17.x prior to 17.12.11.6 or 18.x prior to 18.8.18.3 or 19.x prior to 19.12.13 or 20.x prior\nto 20.12.1. It is, therefore, affected by multiple vulnerabilities as referenced in the January 2021 CPU advisory.\n\n - Vulnerability in the Primavera Unifier product of Oracle Construction and Engineering (component: Platform\n (MPXJ)). Supported versions that are affected are 16.1, 16.2, 17.7-17.12, 18.8, 19.12 and 20.12. Easily\n exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise\n Primavera Unifier. Successful attacks of this vulnerability can result in takeover of Primavera Unifier.\n (CVE-2020-25020)\n\n - Vulnerability in the Primavera Unifier product of Oracle Construction and Engineering (component: Core,\n Config (Apache Ant)). Supported versions that are affected are 16.1, 16.2, 17.7-17.12, 18.8, 19.12 and\n 20.12. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to\n compromise Primavera Unifier. Successful attacks of this vulnerability can result in unauthorized\n creation, deletion or modification access to critical data or all Primavera Unifier accessible data.\n (CVE-2020-11979)\n\n - Vulnerability in the Primavera Unifier product of Oracle Construction and Engineering (component: Core\n (Apache Commons BeanUtils)). Supported versions that are affected are 16.1, 16.2, 17.7-17.12, 18.8, 19.12\n and 20.12. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP\n to compromise Primavera Unifier. Successful attacks of this vulnerability can result in unauthorized\n update, insert or delete access to some of Primavera Unifier accessible data as well as unauthorized read\n access to a subset of Primavera Unifier accessible data and unauthorized ability to cause a partial denial\n of service (partial DOS) of Primavera Unifier. (CVE-2019-10086)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.oracle.com/a/tech/docs/cpujan2021cvrf.xml\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.oracle.com/security-alerts/cpujan2021.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate patch according to the January 2021 Oracle Critical Patch Update advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\&qu

Security Bulletin: Security vulnerabilities are identified in WebSphere Application Server where Rational Asset Manager is deployed (CVE-2019-10086 and CVE-2020-4329)

Description

Affected Software

Related