Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBMC0CEE59714C08F605F46AF30CE5BBFA16CD836F5E7EA8744439AB6B597233CA5
HistorySep 14, 2022 - 3:02 p.m.

Security Bulletin: A security vulnerability in FileNet Content Management Interoperability Services (CMIS) might affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) (CVE-2018-1364)

2022-09-1415:02:20
www.ibm.com
8

8.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L

6.4 Medium

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:N/A:P

0.002 Low

EPSS

Percentile

56.0%

JSON

Summary

An XML external entity security vulnerability has been reported for FileNet Content Management Interoperability Services (CMIS) shipped with IBM Business Automation Workflow and IBM BPM.

Vulnerability Details

CVEID: CVE-2018-1364 DESCRIPTION: IBM Content Navigator 2.0 and 3.0 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 137449.
CVSS Base Score: 8.2
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/137449&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L)

Affected Products and Versions

- IBM Business Automation Workflow V18.0.0.0 through V18.0.0.1

- IBM Business Process Manager V8.6.0.0 through V8.6.0.0 Cumulative Fix 2018.03

- IBM Business Process Manager V8.5.7.0 through V8.5.7.0 Cumulative Fix 2017.06

- IBM Business Process Manager V8.5.6.0 through V8.5.6.0 CF2

- IBM Business Process Manager V8.5.5.0

- IBM Business Process Manager V8.5.0.0 through V8.5.0.2

Remediation/Fixes

Install interim fix PJ45479 as appropriate for your current IBM Business Automation Workflow or IBM BPM version.

For IBM Business Automation Workflow V18.0.0.0
· Upgrade to minimal cumulative fix levels as required by iFix and then apply iFix PJ45479
--OR–
· Apply Cumulative Fix V18.0.0.1 or later

For IBM BPM V8.6.0.0 through V8.6.0.0 CF 2018.03
· Upgrade to minimal cumulative fix levels as required by iFix and then apply iFix PJ45479
--OR–
· Apply Cumulative Fix 2018.03 or later

For IBM BPM V8.5.7.0 through V8.5.7.0 CF 2017.06
· Apply Cumulative Fix 2017.06 and then apply iFix PJ45479

For IBM BPM V8.5.6.0 through V8.5.6.0 CF2
· Apply CF2 as required by iFix and then apply iFix PJ45479

For IBM BPM V8.5.5.0
· Apply iFix PJ45479

For IBM BPM V8.5.0.0 through V8.5.0.02
· Install Fix Pack 2 as required by iFix and then apply iFix PJ45479

Affected configurations

Vulners
Node
ibmbusiness_automation_workflowMatch18.0.0.0
OR
ibmbusiness_automation_workflowMatch18.0.0.1
OR
ibmbusiness_process_managerMatch8.6.0.
OR
ibmbusiness_process_managerMatch201803
OR
ibmbusiness_process_managerMatch8.6.0.
OR
ibmbusiness_process_managerMatch201712
OR
ibmbusiness_process_managerMatch8.6
OR
ibmbusiness_process_managerMatch8.6.0.
OR
ibmbusiness_process_managerMatch201803
OR
ibmbusiness_process_managerMatch8.6.0.
OR
ibmbusiness_process_managerMatch201712
OR
ibmbusiness_process_managerMatch8.6
OR
ibmbusiness_process_managerMatch8.5.7.
OR
ibmbusiness_process_managerMatch201706
OR
ibmbusiness_process_managerMatch8.5.7.
OR
ibmbusiness_process_managerMatch201703
OR
ibmbusiness_process_managerMatch8.5.7.
OR
ibmbusiness_process_managerMatch201612
OR
ibmbusiness_process_managerMatch8.5.7.
OR
ibmbusiness_process_managerMatch201609
OR
ibmbusiness_process_managerMatch8.5.7.
OR
ibmbusiness_process_managerMatch201606
OR
ibmbusiness_process_managerMatch8.5.7
OR
ibmbusiness_process_managerMatch8.5.6.2
OR
ibmbusiness_process_managerMatch8.5.6.1
OR
ibmbusiness_process_managerMatch8.5.6
OR
ibmbusiness_process_managerMatch8.5.5
OR
ibmbusiness_process_managerMatch8.5.0.2
OR
ibmbusiness_process_managerMatch8.5.0.1
OR
ibmbusiness_process_managerMatch8.5.0.0
OR
ibmbusiness_process_managerMatch8.5.7.
OR
ibmbusiness_process_managerMatch201706
OR
ibmbusiness_process_managerMatch8.5.7.
OR
ibmbusiness_process_managerMatch201703
OR
ibmbusiness_process_managerMatch8.5.7.
OR
ibmbusiness_process_managerMatch201612
OR
ibmbusiness_process_managerMatch8.5.7.
OR
ibmbusiness_process_managerMatch201609
OR
ibmbusiness_process_managerMatch8.5.7.
OR
ibmbusiness_process_managerMatch201606
OR
ibmbusiness_process_managerMatch8.5.7
OR
ibmbusiness_process_managerMatch8.5.6.2
OR
ibmbusiness_process_managerMatch8.5.6.1
OR
ibmbusiness_process_managerMatch8.5.6
OR
ibmbusiness_process_managerMatch8.5.5
OR
ibmbusiness_process_managerMatch8.5.0.2
OR
ibmbusiness_process_managerMatch8.5.0.1
OR
ibmbusiness_process_managerMatch8.5.0.0
OR
ibmbusiness_process_managerMatch8.6
OR
ibmbusiness_process_managerMatch8.5.7.
OR
ibmbusiness_process_managerMatch201706
OR
ibmbusiness_process_managerMatch8.5.7.
OR
ibmbusiness_process_managerMatch201703
OR
ibmbusiness_process_managerMatch8.5.7.
OR
ibmbusiness_process_managerMatch201612
OR
ibmbusiness_process_managerMatch8.5.7.
OR
ibmbusiness_process_managerMatch201609
OR
ibmbusiness_process_managerMatch8.5.7.
OR
ibmbusiness_process_managerMatch201606
OR
ibmbusiness_process_managerMatch8.5.7
OR
ibmbusiness_process_managerMatch8.5.6.2
OR
ibmbusiness_process_managerMatch8.5.6.1
OR
ibmbusiness_process_managerMatch8.5.6
OR
ibmbusiness_process_managerMatch8.5.5
OR
ibmbusiness_process_managerMatch8.5.0.2
OR
ibmbusiness_process_managerMatch8.5.0.1
OR
ibmbusiness_process_managerMatch8.5.0.0

Related

cve 1
ibm 3
prion 1
nvd 1
cvelist 1
myhack58 1
cve
cve
CVE-2018-1364
2018-01-29 16:29:00
ibm
ibm
Security Bulletin: FileNet Content Management Interoperability Services (CMIS), which ships with IBM Content navigator, is affected by the ability to parse untrusted XML input containing a reference to an external entity
2018-07-10 00:13:53
Security Bulletin: IBM Content Navigator is affected by an XML External Entity Injection (XXE) vulnerability
2018-06-17 12:19:13
Security Bulletin: A security vulnerability has been identified in FileNet Content Management Interoperability Services (CMIS) shipped with IBM Case Manager (CVE-2018-1364)
2018-09-04 22:20:11
prion
prion
Xxe
2018-01-29 16:29:00
nvd
nvd
CVE-2018-1364
2018-01-29 16:29:00
cvelist
cvelist
CVE-2018-1364
2018-01-25 00:00:00
myhack58
myhack58
The defect-week session of the fourth term: XML external entity injection-vulnerability warning-the black bar safety net
2018-10-11 00:00:00

8.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L

6.4 Medium

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:N/A:P

0.002 Low

EPSS

Percentile

56.0%

JSON
Related for C0CEE59714C08F605F46AF30CE5BBFA16CD836F5E7EA8744439AB6B597233CA5
cve1ibm3prion1nvd1cvelist1myhack581