logo
DATABASE RESOURCES PRICING ABOUT US

Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to multiple security vulnerabilities

2019-02-18T14:10:01

Description

## Summary IBM has announced a release for IBM Security Identity Governance and Intelligence (IGI) in response to multiple security vulnerabilities. There are multiple vulnerabilities fixes to open source libraries distributed with IGI, other less secure algorithms for crypto, xss attacks and click jacking attacks. ## Vulnerability Details **CVEID:** [CVE-2018-0124](<https://vulners.com/cve/CVE-2018-0124>) **DESCRIPTION:** Cisco Unified Communications Domain Manager could allow a remote attacker to execute arbitrary code on the system, caused by insecure key generation during application configuration. By sending arbitrary requests using the insecure key, an attacker could exploit this vulnerability to bypass security protections, gain elevated privileges and execute arbitrary code on the system. CVSS Base Score: 9.8 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139282> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) **CVEID:** [CVE-2018-0125](<https://vulners.com/cve/CVE-2018-0125>) **DESCRIPTION:** Cisco RV132W ADSL2+ Wireless-N VPN and RV134W VDSL2 Wireless-AC VPN Routers could allow a remote attacker to execute arbitrary code on the system, caused by an incomplete input validation on user-controlled input in an HTTP request in the Web interface. By sending a specially crafted HTTP request, an attacker could exploit this vulnerability to execute arbitrary code with root privileges or cause the device to reload. CVSS Base Score: 9.8 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/138770> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) **CVEID:** [CVE-2015-5237](<https://vulners.com/cve/CVE-2015-5237>) **DESCRIPTION:** Google Protocol Buffers could allow a remote attacker to execute arbitrary code on the system, caused by an integer overflow in MessageLite::SerializeToString. A remote attacker could exploit this vulnerability to execute arbitrary code on the vulnerable system or cause a denial of service. CVSS Base Score: 6.3 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/105989> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L) **CVEID:** [CVE-2013-4517](<https://vulners.com/cve/CVE-2013-4517>) **DESCRIPTION:** Apache Santuario XML Security for Java is vulnerable to a denial of service, caused by an out of memory error when allowing Document Type Definitions (DTDs). A remote attacker could exploit this vulnerability via XML Signature transforms to cause a denial of service. CVSS Base Score: 5 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/89891> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) **CVEID:** [CVE-2014-3596](<https://vulners.com/cve/CVE-2014-3596>) **DESCRIPTION:** Apache Axis and Axis2 could allow a remote attacker to conduct spoofing attacks, caused by and incomplete fix related to the failure to verify that the server hostname matches a domain name in the subject''s Common Name (CN) field of the X.509 certificate. By persuading a victim to visit a Web site containing a specially-crafted certificate, an attacker could exploit this vulnerability using man-in-the-middle techniques to spoof an SSL server. CVSS Base Score: 4.3 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/95377> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) **CVEID:** [CVE-2012-5784](<https://vulners.com/cve/CVE-2012-5784>) **DESCRIPTION:** Apache Axis 1.4, as used in multiple products, could allow a remote attacker to conduct spoofing attacks, caused by the failure to verify that the server hostname matches a domain name in the subject''s Common Name (CN) field of the X.509 certificate. An attacker could exploit this vulnerability using man-in-the-middle techniques to spoof an SSL server and launch further attacks against a vulnerable target. CVSS Base Score: 4.3 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/79829> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) **CVEID:** [CVE-2013-2186](<https://vulners.com/cve/CVE-2013-2186>) **DESCRIPTION:** Apache commons-fileupload could allow a remote attacker to overwrite arbitrary files on the system, caused by a NULL byte in the implementation of the DiskFileItem class. By sending a serialized instance of the DiskFileItem class, an attacker could exploit this vulnerability to write or overwrite arbitrary files on the system. CVSS Base Score: 6.4 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/88133> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:P) **CVEID:** [CVE-2016-3092](<https://vulners.com/cve/CVE-2016-3092>) **DESCRIPTION:** Apache Tomcat is vulnerable to a denial of service, caused by an error in the Apache Commons FileUpload component. By sending file upload requests, an attacker could exploit this vulnerability to cause the server to become unresponsive. CVSS Base Score: 5.3 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/114336> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) **CVEID:** [CVE-2016-1000031](<https://vulners.com/cve/CVE-2016-1000031>) **DESCRIPTION:** Apache Commons FileUpload, as used in Novell NetIQ Sentinel and other products, could allow a remote attacker to execute arbitrary code on the system, caused by deserialization of untrusted data in DiskFileItem class of the FileUpload library. A remote attacker could exploit this vulnerability to execute arbitrary code under the context of the current process. CVSS Base Score: 9.8 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/117957> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) **CVEID:** [CVE-2014-0050](<https://vulners.com/cve/CVE-2014-0050>) **DESCRIPTION:** Apache Commons FileUpload, as used in Apache Tomcat, Solr, and other products is vulnerable to a denial of service, caused by the improper handling of Content-Type HTTP header for multipart requests by MultipartStream.java. An attacker could exploit this vulnerability using a specially crafted Content-Type header to cause the application to enter into an infinite loop. CVSS Base Score: 5 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/90987> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) **CVEID:** [CVE-2013-4517](<https://vulners.com/cve/CVE-2013-4517>) **DESCRIPTION:** Apache Santuario XML Security for Java is vulnerable to a denial of service, caused by an out of memory error when allowing Document Type Definitions (DTDs). A remote attacker could exploit this vulnerability via XML Signature transforms to cause a denial of service. CVSS Base Score: 5 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/89891> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) **CVEID:** [CVE-2013-2172](<https://vulners.com/cve/CVE-2013-2172>) **DESCRIPTION:** Apache Santuario XML Security for Java could allow a remote attacker to conduct spoofing attacks, caused by the failure to restrict canonicalization algorithms to be applied to the CanonicalizationMethod parameter. An attacker could exploit this vulnerability to spoof the XML signature. CVSS Base Score: 4.3 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/85323> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) **CVEID:** [CVE-2016-3092](<https://vulners.com/cve/CVE-2016-3092>) **DESCRIPTION:** Apache Tomcat is vulnerable to a denial of service, caused by an error in the Apache Commons FileUpload component. By sending file upload requests, an attacker could exploit this vulnerability to cause the server to become unresponsive. CVSS Base Score: 5.3 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/114336> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) **CVEID:** [CVE-2016-1000031](<https://vulners.com/cve/CVE-2016-1000031>) **DESCRIPTION:** Apache Commons FileUpload, as used in Novell NetIQ Sentinel and other products, could allow a remote attacker to execute arbitrary code on the system, caused by deserialization of untrusted data in DiskFileItem class of the FileUpload library. A remote attacker could exploit this vulnerability to execute arbitrary code under the context of the current process. CVSS Base Score: 9.8 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/117957> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) **CVEID:** [CVE-2014-0050](<https://vulners.com/cve/CVE-2014-0050>) **DESCRIPTION:** Apache Commons FileUpload, as used in Apache Tomcat, Solr, and other products is vulnerable to a denial of service, caused by the improper handling of Content-Type HTTP header for multipart requests by MultipartStream.java. An attacker could exploit this vulnerability using a specially crafted Content-Type header to cause the application to enter into an infinite loop. CVSS Base Score: 5 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/90987> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) **CVEID:** [CVE-2013-0248](<https://vulners.com/cve/CVE-2013-0248>) **DESCRIPTION:** Apache Commons FileUpload could allow a local attacker to launch a symlink attack. Temporary files are created insecurely. A local attacker could exploit this vulnerability by creating a symbolic link from a temporary file to various files on the system, which could allow the attacker to overwrite arbitrary files on the system with elevated privileges. CVSS Base Score: 3.3 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/82618> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:L/AC:M/Au:N/C:N/I:P/A:P) **CVEID:** [CVE-2016-3092](<https://vulners.com/cve/CVE-2016-3092>) **DESCRIPTION:** Apache Tomcat is vulnerable to a denial of service, caused by an error in the Apache Commons FileUpload component. By sending file upload requests, an attacker could exploit this vulnerability to cause the server to become unresponsive. CVSS Base Score: 5.3 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/114336> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) **CVEID:** [CVE-2016-1000031](<https://vulners.com/cve/CVE-2016-1000031>) **DESCRIPTION:** Apache Commons FileUpload, as used in Novell NetIQ Sentinel and other products, could allow a remote attacker to execute arbitrary code on the system, caused by deserialization of untrusted data in DiskFileItem class of the FileUpload library. A remote attacker could exploit this vulnerability to execute arbitrary code under the context of the current process. CVSS Base Score: 9.8 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/117957> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) **CVEID:** [CVE-2014-0050](<https://vulners.com/cve/CVE-2014-0050>) **DESCRIPTION:** Apache Commons FileUpload, as used in Apache Tomcat, Solr, and other products is vulnerable to a denial of service, caused by the improper handling of Content-Type HTTP header for multipart requests by MultipartStream.java. An attacker could exploit this vulnerability using a specially crafted Content-Type header to cause the application to enter into an infinite loop. CVSS Base Score: 5 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/90987> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) **CVEID:** [CVE-2013-0248](<https://vulners.com/cve/CVE-2013-0248>) **DESCRIPTION:** Apache Commons FileUpload could allow a local attacker to launch a symlink attack. Temporary files are created insecurely. A local attacker could exploit this vulnerability by creating a symbolic link from a temporary file to various files on the system, which could allow the attacker to overwrite arbitrary files on the system with elevated privileges. CVSS Base Score: 3.3 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/82618> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:L/AC:M/Au:N/C:N/I:P/A:P) **CVEID:** [CVE-2016-3092](<https://vulners.com/cve/CVE-2016-3092>) **DESCRIPTION:** Apache Tomcat is vulnerable to a denial of service, caused by an error in the Apache Commons FileUpload component. By sending file upload requests, an attacker could exploit this vulnerability to cause the server to become unresponsive. CVSS Base Score: 5.3 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/114336> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) **CVEID:** [CVE-2016-1000031](<https://vulners.com/cve/CVE-2016-1000031>) **DESCRIPTION:** Apache Commons FileUpload, as used in Novell NetIQ Sentinel and other products, could allow a remote attacker to execute arbitrary code on the system, caused by deserialization of untrusted data in DiskFileItem class of the FileUpload library. A remote attacker could exploit this vulnerability to execute arbitrary code under the context of the current process. CVSS Base Score: 9.8 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/117957> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) **CVEID:** [CVE-2014-0050](<https://vulners.com/cve/CVE-2014-0050>) **DESCRIPTION:** Apache Commons FileUpload, as used in Apache Tomcat, Solr, and other products is vulnerable to a denial of service, caused by the improper handling of Content-Type HTTP header for multipart requests by MultipartStream.java. An attacker could exploit this vulnerability using a specially crafted Content-Type header to cause the application to enter into an infinite loop. CVSS Base Score: 5 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/90987> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) **CVEID:** [CVE-2013-0248](<https://vulners.com/cve/CVE-2013-0248>) **DESCRIPTION:** Apache Commons FileUpload could allow a local attacker to launch a symlink attack. Temporary files are created insecurely. A local attacker could exploit this vulnerability by creating a symbolic link from a temporary file to various files on the system, which could allow the attacker to overwrite arbitrary files on the system with elevated privileges. CVSS Base Score: 3.3 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/82618> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:L/AC:M/Au:N/C:N/I:P/A:P) **CVEID:** [CVE-2014-0054](<https://vulners.com/cve/CVE-2014-0054>) **DESCRIPTION:** Pivotal Spring Framework could allow a remote attacker to obtain sensitive information, caused by an XML External Entity Injection (XXE) error in Jaxb2RootElementHttpMessageConverter when processing XML data. By sending specially-crafted XML data, an attacker could exploit this vulnerability to read arbitrary files and obtain sensitive information. CVSS Base Score: 5 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/91841> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) **CVEID:** [CVE-2013-7315](<https://vulners.com/cve/CVE-2013-7315>) **DESCRIPTION:** Pivotal Spring Framework could allow a remote attacker to obtain sensitive information, caused by an XML External Entity Injection (XXE) error when processing XML data. By sending a specially-crafted request, an attacker could exploit this vulnerability to read arbitrary files and obtain sensitive information. CVSS Base Score: 5 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/95219> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) **CVEID:** [CVE-2013-6429](<https://vulners.com/cve/CVE-2013-6429>) **DESCRIPTION:** Spring Framework could allow a remote attacker to obtain sensitive information, caused by an error when parsing XML entities. By persuading a victim to open a specially-crafted XML document containing external entity references, an attacker could exploit this vulnerability to obtain sensitive information. CVSS Base Score: 4.3 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/90451> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) **CVEID:** [CVE-2013-4152](<https://vulners.com/cve/CVE-2013-4152>) **DESCRIPTION:** Pivotal Spring Framework could allow a remote attacker to obtain sensitive information, caused by an XML External Entity Injection (XXE) error when processing XML data. By sending a specially-crafted request, an attacker could exploit this vulnerability to read arbitrary files and obtain sensitive information. CVSS Base Score: 5 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/86589> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) **CVEID:** [CVE-2011-2730](<https://vulners.com/cve/CVE-2011-2730>) **DESCRIPTION:** Spring Framework could allow a remote attacker to obtain sensitive information, caused by an error when handling the Expression Language. An attacker could exploit this vulnerability to obtain classpaths and other sensitive information. CVSS Base Score: 5 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/69688> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) **CVEID:** [CVE-2010-1622](<https://vulners.com/cve/CVE-2010-1622>) **DESCRIPTION:** Spring Framework could allow a remote attacker to execute arbitrary code on the system, caused by an error in the mechanism to use client provided data to update the properties of an object. An attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base Score: 7.5 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/59573> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) **CVEID:** [CVE-2018-1272](<https://vulners.com/cve/CVE-2018-1272>) **DESCRIPTION:** Pivotal Spring Framework could allow a remote authenticated attacker to gain elevated privileges on the system, caused by improper input validation. By sending a specially-crafted request, an attacker could exploit this vulnerability to gain elevated privileges. CVSS Base Score: 5 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/141286> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L) **CVEID:** [CVE-2018-1271](<https://vulners.com/cve/CVE-2018-1271>) **DESCRIPTION:** Pivotal Spring Framework could allow a remote attacker to traverse directories on the system, caused by improper validation of user request. An attacker could send a specially-crafted URL request containing "dot dot" sequences (/../) to configure Spring MVC to serve static resources. CVSS Base Score: 5.3 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/141285> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) **CVEID:** [CVE-2018-1270](<https://vulners.com/cve/CVE-2018-1270>) **DESCRIPTION:** Pivotal Spring Framework could allow a remote attacker to execute arbitrary code on the system, caused by the exposure of STOMP over WebSocket endpoints with a STOMP broker through the spring-messaging module. By sending a specially-crafted message, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base Score: 9.8 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/141284> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) **CVEID:** [CVE-2016-9878](<https://vulners.com/cve/CVE-2016-9878>) **DESCRIPTION:** Pivotal Spring Framework could allow a remote attacker to traverse directories on the system, caused by the failure to sanitize paths provided to ResourceServlet. An attacker could send a specially-crafted URL request containing directory traversal sequences to view arbitrary files on the system. CVSS Base Score: 5.3 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/120241> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) **CVEID:** [CVE-2014-1904](<https://vulners.com/cve/CVE-2014-1904>) **DESCRIPTION:** Spring MVC is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the FormTag.java script. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim''s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim''s cookie-based authentication credentials. CVSS Base Score: 4.3 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/91890> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) **CVEID:** [CVE-2014-3596](<https://vulners.com/cve/CVE-2014-3596>) **DESCRIPTION:** Apache Axis and Axis2 could allow a remote attacker to conduct spoofing attacks, caused by and incomplete fix related to the failure to verify that the server hostname matches a domain name in the subject''s Common Name (CN) field of the X.509 certificate. By persuading a victim to visit a Web site containing a specially-crafted certificate, an attacker could exploit this vulnerability using man-in-the-middle techniques to spoof an SSL server. CVSS Base Score: 4.3 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/95377> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) **CVEID:** [CVE-2012-5784](<https://vulners.com/cve/CVE-2012-5784>) **DESCRIPTION:** Apache Axis 1.4, as used in multiple products, could allow a remote attacker to conduct spoofing attacks, caused by the failure to verify that the server hostname matches a domain name in the subject''s Common Name (CN) field of the X.509 certificate. An attacker could exploit this vulnerability using man-in-the-middle techniques to spoof an SSL server and launch further attacks against a vulnerable target. CVSS Base Score: 4.3 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/79829> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) **CVEID:** [CVE-2013-3060](<https://vulners.com/cve/CVE-2013-3060>) **DESCRIPTION:** Apache ActiveMQ is vulnerable to a denial of service, caused by the failure to require authentication, by the Web console. By sending specially-crafted HTTP requests, an attacker could exploit this vulnerability to obtain sensitive information or cause a denial of service. CVSS Base Score: 6.4 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/83719> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:P) **CVEID:** [CVE-2013-1880](<https://vulners.com/cve/CVE-2013-1880>) **DESCRIPTION:** Apache ActiveMQ is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the demo/portfolioPublish script. A remote attacker could exploit this vulnerability using the refresh parameter in a specially-crafted URL to execute script in a victim''s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim''s cookie-based authentication credentials. CVSS Base Score: 4.3 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/103075> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) **CVEID:** [CVE-2013-1879](<https://vulners.com/cve/CVE-2013-1879>) **DESCRIPTION:** Apache ActiveMQ is vulnerable to cross-site scripting, caused by improper validation of user-supplied input when handling cron jobs. A remote attacker could exploit this vulnerability using specific parameters to inject malicious script into a Web page which would be executed in a victim''s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim''s cookie-based authentication credentials. CVSS Base Score: 4.3 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/85586> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) **CVEID:** [CVE-2012-6551](<https://vulners.com/cve/CVE-2012-6551>) **DESCRIPTION:** Apache ActiveMQ is vulnerable to a denial of service, caused by the enablement of a sample web application by the default configuration. By sending specially-crafted HTTP requests, an attacker could exploit this vulnerability to consume broker resources and cause a denial of service. CVSS Base Score: 5 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/83718> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) **CVEID:** [CVE-2012-6092](<https://vulners.com/cve/CVE-2012-6092>) **DESCRIPTION:** Apache ActiveMQ is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by multiple vectors. A remote attacker could exploit this vulnerability using various parameters in a specially-crafted URL to execute script in a victim''s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim''s cookie-based authentication credentials. CVSS Base Score: 4.3 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/83720> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) **CVEID:** [CVE-2012-5784](<https://vulners.com/cve/CVE-2012-5784>) **DESCRIPTION:** Apache Axis 1.4, as used in multiple products, could allow a remote attacker to conduct spoofing attacks, caused by the failure to verify that the server hostname matches a domain name in the subject''s Common Name (CN) field of the X.509 certificate. An attacker could exploit this vulnerability using man-in-the-middle techniques to spoof an SSL server and launch further attacks against a vulnerable target. CVSS Base Score: 4.3 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/79829> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) **CVEID:** [CVE-2011-4905](<https://vulners.com/cve/CVE-2011-4905>) **DESCRIPTION:** Apache ActiveMQ is vulnerable to a denial of service, caused by an error in the failover mechanism when handling an openwire connection request. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause the broker service to crash. CVSS Base Score: 5 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/71620> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) **CVEID:** [CVE-2015-1830](<https://vulners.com/cve/CVE-2015-1830>) **DESCRIPTION:** Apache ActiveMQ could allow a remote attacker to traverse directories on the system, caused by an error in the fileserver upload/download functionality. By placing a jsp file in the admin console, an attacker could exploit this vulnerability to execute arbitrary shell commands on the system. CVSS Base Score: 9.8 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/105644> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) **CVEID:** [CVE-2014-8110](<https://vulners.com/cve/CVE-2014-8110>) **DESCRIPTION:** Apache ActiveMQ is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim''s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim''s cookie-based authentication credentials. CVSS Base Score: 4.3 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/100724> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) **CVEID:** [CVE-2014-3612](<https://vulners.com/cve/CVE-2014-3612>) **DESCRIPTION:** Apache ActiveMQ could allow a remote authenticated attacker to bypass security restrictions, caused by an error in the LDAPLoginModule implementation. By sending an empty password, an attacker could exploit this vulnerability to bypass the authentication mechanism of an application using LDAPLoginModule and assume the role of another user. CVSS Base Score: 5 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/100723> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N) **CVEID:** [CVE-2014-3600](<https://vulners.com/cve/CVE-2014-3600>) **DESCRIPTION:** Apache ActiveMQ could allow a remote attacker to obtain sensitive information, caused by an XML External Entity Injection (XXE) error when processing XML data. By sending specially-crafted XML data to specify an XPath based selector, an attacker could exploit this vulnerability to obtain sensitive information. CVSS Base Score: 5 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/100722> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) **CVEID:** [CVE-2014-3576](<https://vulners.com/cve/CVE-2014-3576>) **DESCRIPTION:** Apache ActiveMQ is vulnerable to a denial of service, caused by an error in the processControlCommand function in broker/TransportConnection.java. A remote attacker could use the shutdown command to shutdown the service. CVSS Base Score: 7.5 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/107290> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) **CVEID:** [CVE-2015-6524](<https://vulners.com/cve/CVE-2015-6524>) **DESCRIPTION:** Apache ActiveMQ is vulnerable to a brute force attack, caused by an error in the LDAPLoginModule implementation. An attacker could exploit this vulnerability using the wildcard in usernames to obtain user credentials. CVSS Base Score: 7.5 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/106187> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) **CVEID:** [CVE-2015-5254](<https://vulners.com/cve/CVE-2015-5254>) **DESCRIPTION:** Apache ActiveMQ could allow a remote attacker to execute arbitrary code on the system, caused by the failure to restrict the classes that can be serialized in the broker. An attacker could exploit this vulnerability using a specially crafted serialized Java Message Service (JMS) ObjectMessage object to execute arbitrary code on the system. CVSS Base Score: 7.3 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/109632> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) **CVEID:** [CVE-2015-5184](<https://vulners.com/cve/CVE-2015-5184>) **DESCRIPTION:** Red Hat JBoss A-MQ could allow a remote attacker to obtain sensitive information, caused by the Access-Control-Allow-Origin header permits unrestricted sharing in Hawtio console. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to obtain sensitive information. CVSS Base Score: 7.5 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/132635> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) **CVEID:** [CVE-2015-5183](<https://vulners.com/cve/CVE-2015-5183>) **DESCRIPTION:** Red Hat JBoss A-MQ could allow a remote attacker to obtain sensitive information, caused by no HTTPOnly or Secure attributes on cookies configured in Hawtio console. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to obtain an authenticated user''s SessionID. CVSS Base Score: 7.5 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/132634> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) **CVEID:** [CVE-2015-5182](<https://vulners.com/cve/CVE-2015-5182>) **DESCRIPTION:** Red Hat JBoss A-MQ is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input by the jolokia API. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request to perform unauthorized actions. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities. CVSS Base Score: 8.8 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/132633> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) **CVEID:** [CVE-2015-6524](<https://vulners.com/cve/CVE-2015-6524>) **DESCRIPTION:** Apache ActiveMQ is vulnerable to a brute force attack, caused by an error in the LDAPLoginModule implementation. An attacker could exploit this vulnerability using the wildcard in usernames to obtain user credentials. CVSS Base Score: 7.5 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/106187> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) **CVEID:** [CVE-2015-5254](<https://vulners.com/cve/CVE-2015-5254>) **DESCRIPTION:** Apache ActiveMQ could allow a remote attacker to execute arbitrary code on the system, caused by the failure to restrict the classes that can be serialized in the broker. An attacker could exploit this vulnerability using a specially crafted serialized Java Message Service (JMS) ObjectMessage object to execute arbitrary code on the system. CVSS Base Score: 7.3 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/109632> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) **CVEID:** [CVE-2015-5184](<https://vulners.com/cve/CVE-2015-5184>) **DESCRIPTION:** Red Hat JBoss A-MQ could allow a remote attacker to obtain sensitive information, caused by the Access-Control-Allow-Origin header permits unrestricted sharing in Hawtio console. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to obtain sensitive information. CVSS Base Score: 7.5 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/132635> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) **CVEID:** [CVE-2015-5183](<https://vulners.com/cve/CVE-2015-5183>) **DESCRIPTION:** Red Hat JBoss A-MQ could allow a remote attacker to obtain sensitive information, caused by no HTTPOnly or Secure attributes on cookies configured in Hawtio console. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to obtain an authenticated user''s SessionID. CVSS Base Score: 7.5 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/132634> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) **CVEID:** [CVE-2015-5182](<https://vulners.com/cve/CVE-2015-5182>) **DESCRIPTION:** Red Hat JBoss A-MQ is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input by the jolokia API. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request to perform unauthorized actions. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities. CVSS Base Score: 8.8 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/132633> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) **CVEID:** [CVE-2016-0782](<https://vulners.com/cve/CVE-2016-0782>) **DESCRIPTION:** Apache ActiveMQ is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the web based administration console. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim''s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim''s cookie-based authentication credentials. CVSS Base Score: 6.1 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111420> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) **CVEID:** [CVE-2016-0734](<https://vulners.com/cve/CVE-2016-0734>) **DESCRIPTION:** Apache ActiveMQ could allow a remote attacker to hijack the clicking action of the victim, caused by the failure to set the X-Frame-Options header in HTTP responses by the Administrative Web console. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim''s click actions. CVSS Base Score: 4.3 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111421> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) **CVEID:** [CVE-2016-3088](<https://vulners.com/cve/CVE-2016-3088>) **DESCRIPTION:** Apache ActiveMQ could allow a remote attacker to execute arbitrary code on the system, caused by an error in the Fileserver web application. By sending a specially crafted HTTP PUT request and an HTTP MOVE request, an attacker could exploit this vulnerability to create an arbitrary file and execute arbitrary code on the system. CVSS Base Score: 7.3 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/113414> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) **CVEID:** [CVE-2016-6810](<https://vulners.com/cve/CVE-2016-6810>) **DESCRIPTION:** Apache ActiveMQ is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability in a specially-crafted URL to execute script in a victim''s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim''s cookie-based authentication credentials. CVSS Base Score: 6.1 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/119699> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) **CVEID:** [CVE-2016-0782](<https://vulners.com/cve/CVE-2016-0782>) **DESCRIPTION:** Apache ActiveMQ is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the web based administration console. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim''s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim''s cookie-based authentication credentials. CVSS Base Score: 6.1 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111420> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) **CVEID:** [CVE-2016-0734](<https://vulners.com/cve/CVE-2016-0734>) **DESCRIPTION:** Apache ActiveMQ could allow a remote attacker to hijack the clicking action of the victim, caused by the failure to set the X-Frame-Options header in HTTP responses by the Administrative Web console. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim''s click actions. CVSS Base Score: 4.3 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111421> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) **CVEID:** [CVE-2016-3088](<https://vulners.com/cve/CVE-2016-3088>) **DESCRIPTION:** Apache ActiveMQ could allow a remote attacker to execute arbitrary code on the system, caused by an error in the Fileserver web application. By sending a specially crafted HTTP PUT request and an HTTP MOVE request, an attacker could exploit this vulnerability to create an arbitrary file and execute arbitrary code on the system. CVSS Base Score: 7.3 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/113414> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) **CVEID:** [CVE-2016-6810](<https://vulners.com/cve/CVE-2016-6810>) **DESCRIPTION:** Apache ActiveMQ is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability in a specially-crafted URL to execute script in a victim''s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim''s cookie-based authentication credentials. CVSS Base Score: 6.1 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/119699> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) **CVEID:** [CVE-2016-9739](<https://vulners.com/cve/CVE-2016-9739>) **DESCRIPTION:** IBM Security Identity Manager Virtual Appliance stores user credentials in plain in clear text which can be read by a local user. CVSS Base Score: 6.2 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/119789> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) **CVEID:** [CVE-2016-0357](<https://vulners.com/cve/CVE-2016-0357>) **DESCRIPTION:** IBM Security Identity Manager Virtual Appliance could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim''s click actions and possibly launch further attacks against the victim. CVSS Base Score: 5.3 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111896> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) **CVEID:** [CVE-2016-0340](<https://vulners.com/cve/CVE-2016-0340>) **DESCRIPTION:** IBM Security Identity Manager Virtual Appliance could allow a local user to take over a previously logged in user due to session expiration not being enforced. CVSS Base Score: 4.9 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111780> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L) **CVEID:** [CVE-2016-0339](<https://vulners.com/cve/CVE-2016-0339>) **DESCRIPTION:** IBM Security Identity Manager Virtual Appliance could allow an attacker with traffic records between a victim and the ISIM to spoof another user due to invalid session identifiers after the victim has logged out. CVSS Base Score: 5.6 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111749> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L) **CVEID:** [CVE-2016-0338](<https://vulners.com/cve/CVE-2016-0338>) **DESCRIPTION:** IBM Security Identity Manager Virtual Appliance could allow a local user to obtain sensitive information including passwords in cleartext by examining configuration files and/or running processes. CVSS Base Score: 6.2 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111748> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) **CVEID:** [CVE-2016-0330](<https://vulners.com/cve/CVE-2016-0330>) **DESCRIPTION:** IBM Security Identity Manager Virtual Appliance uses a weak password algorithm which allows users to create insecure passwords. An attacker could exploit this vulnerability to gain access to the system. CVSS Base Score: 5.3 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111693> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) **CVEID:** [CVE-2016-3092](<https://vulners.com/cve/CVE-2016-3092>) **DESCRIPTION:** Apache Tomcat is vulnerable to a denial of service, caused by an error in the Apache Commons FileUpload component. By sending file upload requests, an attacker could exploit this vulnerability to cause the server to become unresponsive. CVSS Base Score: 5.3 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/114336> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) **CVEID:** [CVE-2016-1000031](<https://vulners.com/cve/CVE-2016-1000031>) **DESCRIPTION:** Apache Commons FileUpload, as used in Novell NetIQ Sentinel and other products, could allow a remote attacker to execute arbitrary code on the system, caused by deserialization of untrusted data in DiskFileItem class of the FileUpload library. A remote attacker could exploit this vulnerability to execute arbitrary code under the context of the current process. CVSS Base Score: 9.8 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/117957> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) **CVEID:** [CVE-2014-0050](<https://vulners.com/cve/CVE-2014-0050>) **DESCRIPTION:** Apache Commons FileUpload, as used in Apache Tomcat, Solr, and other products is vulnerable to a denial of service, caused by the improper handling of Content-Type HTTP header for multipart requests by MultipartStream.java. An attacker could exploit this vulnerability using a specially crafted Content-Type header to cause the application to enter into an infinite loop. CVSS Base Score: 5 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/90987> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) **CVEID:** [CVE-2013-0248](<https://vulners.com/cve/CVE-2013-0248>) **DESCRIPTION:** Apache Commons FileUpload could allow a local attacker to launch a symlink attack. Temporary files are created insecurely. A local attacker could exploit this vulnerability by creating a symbolic link from a temporary file to various files on the system, which could allow the attacker to overwrite arbitrary files on the system with elevated privileges. CVSS Base Score: 3.3 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/82618> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:L/AC:M/Au:N/C:N/I:P/A:P) **CVEID:** [CVE-2018-7489](<https://vulners.com/cve/CVE-2018-7489>) **DESCRIPTION:** FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by a deserialization flaw in the readValue method of the ObjectMapper. By sending specially crafted JSON input, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base Score: 7.3 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139549> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) **CVEID:** [CVE-2018-5968](<https://vulners.com/cve/CVE-2018-5968>) **DESCRIPTION:** FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by deserialization flaws. By using two different gadgets that bypass a blocklist, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base Score: 7.3 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/138088> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) **CVEID:** [CVE-2017-7525](<https://vulners.com/cve/CVE-2017-7525>) **DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by a deserialization flaw within the Jackson JSON library in the readValue method of the ObjectMapper. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base Score: 9.8 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/134639> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) **CVEID:** [CVE-2017-17485](<https://vulners.com/cve/CVE-2017-17485>) **DESCRIPTION:** Jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by a flaw in the default-typing feature. An attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base Score: 9.8 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/137340> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) **CVEID:** [CVE-2017-15095](<https://vulners.com/cve/CVE-2017-15095>) **DESCRIPTION:** Jackson Library could allow a remote attacker to execute arbitrary code on the system, caused by a deserialization flaw in the readValue() method of the ObjectMapper. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base Score: 9.8 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/135123> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) **CVEID:** [CVE-2014-0114](<https://vulners.com/cve/CVE-2014-0114>) **DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to restrict the setting of Class Loader attributes. An attacker could exploit this vulnerability using the class parameter of an ActionForm object to manipulate the ClassLoader and execute arbitrary code on the system. CVSS Base Score: 7.5 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/92889> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) **CVEID:** [CVE-2018-1000199](<https://vulners.com/cve/CVE-2018-1000199>) **DESCRIPTION:** Linux Kernel is vulnerable to a denial of service, caused by a ptrace() error handling flaw. By invoking the modify_user_hw_breakpoint() function, a local attacker could exploit this vulnerability to cause the kernel to crash. CVSS Base Score: 6.2 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/142654> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) **CVEID:** [CVE-2018-8897](<https://vulners.com/cve/CVE-2018-8897>) **DESCRIPTION:** Multiple operating systems could allow a local authenticated attacker to gain elevated privileges on the system, caused by developer interpretation of hardware debug exception documentation for the MOV to SS and POP SS instructions. An attacker could exploit this vulnerability using operating system APIs to obtain sensitive memory information or control low-level operating system functions and other unexpected behavior. CVSS Base Score: 7 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/142242> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) **CVEID:** [CVE-2018-1091](<https://vulners.com/cve/CVE-2018-1091>) **DESCRIPTION:** Linux Kernel is vulnerable to a denial of service, caused by a missing processor feature check in the flush_tmregs_to_thread function. A local attacker could exploit this vulnerability to cause the guest kernel to crash. CVSS Base Score: 6.2 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/140892> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) **CVEID:** [CVE-2018-1087](<https://vulners.com/cve/CVE-2018-1087>) **DESCRIPTION:** Linux Kernel could allow a local attacker to gain elevated privileges on the system, caused by the improper handling of exceptions delivered after a stack switch operation using the MOV to SS and POP SS instructions by the KVM hypervisor. An attacker could exploit this vulnerability to gain elevated privileges or cause the guest to crash. CVSS Base Score: 8.4 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/142976> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) **CVEID:** [CVE-2018-1068](<https://vulners.com/cve/CVE-2018-1068>) **DESCRIPTION:** Linux Kernel could allow a local authenticated attacker to gain elevated privileges on the system, caused by an error in the implementation of 32 bit syscall interface. An attacker could exploit this vulnerability to gain root privileges on the system. CVSS Base Score: 8.1 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/140403> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H) **CVEID:** [CVE-2017-16939](<https://vulners.com/cve/CVE-2017-16939>) **DESCRIPTION:** Linux Kernel could allow a remote attacker to gain elevated privileges on the system, caused by an use-after-free in the Netlink socket subsystem XFRM. By sending a specially-crafted request, an attacker could exploit this vulnerability to gain privileges. CVSS Base Score: 9.8 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/135317> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) **CVEID:** [CVE-2018-10915](<https://vulners.com/cve/CVE-2018-10915>) **DESCRIPTION:** PostgreSQL could allow a remote attacker to bypass security restrictions, caused by an issue with improperly resting internal state in between connections in the libpq library. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass client-side connection security features. CVSS Base Score: 7.5 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/148225> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) **CVEID:** [CVE-2018-5740](<https://vulners.com/cve/CVE-2018-5740>) **DESCRIPTION:** ISC BIND is vulnerable to a denial of service, caused by a defect in the deny-answer-aliases feature. By triggering this defect, a remote attacker could exploit this vulnerability to cause an INSIST assertion failure in name.c. CVSS Base Score: 7.5 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/148131> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) **CVEID:** [CVE-2018-3693](<https://vulners.com/cve/CVE-2018-3693>) **DESCRIPTION:** Intel Haswell Xeon, AMD PRO and ARM Cortex A57 CPUs could allow a local authenticated attacker to obtain sensitive information, caused by a bounds check bypass in the CPU speculative branch instruction execution feature. By conducting targeted cache side-channel attacks, an attacker could exploit this vulnerability to cross the syscall boundary and read data from the CPU virtual memory. CVSS Base Score: 7.1 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/146191> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N) **CVEID:** [CVE-2018-3646](<https://vulners.com/cve/CVE-2018-3646>) **DESCRIPTION:** Multiple Intel CPU''s could allow a local attacker to obtain sensitive information, caused by a flaw in the CPU speculative branch instruction execution feature. By conducting targeted cache side-channel attacks and via a terminal page fault, an attacker with guest OS privilege could exploit this vulnerability to leak information residing in the L1 data cache and read data belonging to different security contexts. CVSS Base Score: 7.1 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/148319> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N) **CVEID:** [CVE-2018-3620](<https://vulners.com/cve/CVE-2018-3620>) **DESCRIPTION:** Multiple Intel CPU''s could allow a local attacker to obtain sensitive information, caused by a flaw in the CPU speculative branch instruction execution feature. By conducting targeted cache side-channel attacks and via a terminal page fault, an attacker could exploit this vulnerability to leak information residing in the L1 data cache and read data belonging to different security contexts. Note: This vulnerability is also known as the "L1 Terminal Fault (L1TF)" or "Foreshadow" attack. CVSS Base Score: 7.1 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/148318> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N) **CVEID:** [CVE-2018-1944](<https://vulners.com/cve/CVE-2018-1944>) **DESCRIPTION:** IBM Security Identity Governance Virtual Appliance contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. CVSS Base Score: 5.1 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/153386> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) **CVEID:** [CVE-2018-1945](<https://vulners.com/cve/CVE-2018-1945>) **DESCRIPTION:** IBM Security Identity Governance Virtual Appliance could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim. CVSS Base Score: 6.1 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/153387> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) **CVEID:** [CVE-2017-7957](<https://vulners.com/cve/CVE-2017-7957>) **DESCRIPTION:** XStream is vulnerable to a denial of service, caused by the improper handling of attempts to create an instance of the primitive type ''void'' during unmarshalling. A remote attacker could exploit this vulnerability to cause the application to crash. CVSS Base Score: 5.3 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/125800> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) **CVEID:** [CVE-2016-3674](<https://vulners.com/cve/CVE-2016-3674>) **DESCRIPTION:** XStream could allow a remote attacker to obtain sensitive information, caused by an error when processing XML external entities. By sending specially-crafted XML data, an attacker could exploit this vulnerability to obtain sensitive information. CVSS Base Score: 5.3 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111806> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) **CVEID:** [CVE-2013-7285](<https://vulners.com/cve/CVE-2013-7285>) **DESCRIPTION:** XStream could allow a remote attacker to execute arbitrary code on the system, caused by an error in the XMLGenerator API. An attacker could exploit this vulnerability to execute arbitrary code on the system or cause the application to crash. CVSS Base Score: 6.8 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/90229> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P) **CVEID:** [CVE-2018-1946](<https://vulners.com/cve/CVE-2018-1946>) **DESCRIPTION:** IBM Security Identity Governance Virtual Appliance supports interaction between multiple actors and allows those actors to negotiate which algorithm should be used as a protection mechanism such as encryption or authentication, but it does not select the strongest algorithm that is available to both parties. CVSS Base Score: 5.9 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/153388> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) **CVEID:** [CVE-2018-1947](<https://vulners.com/cve/CVE-2018-1947>) **DESCRIPTION:** IBM Security Identity Governance Virtual Appliance is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. CVSS Base Score: 6.1 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/153427> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) **CVEID:** [CVE-2018-1948](<https://vulners.com/cve/CVE-2018-1948>) **DESCRIPTION:** IBM Security Identity Governance Virtual Appliance does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. CVSS Base Score: 4.3 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/153428> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) **CVEID:** [CVE-2018-1949](<https://vulners.com/cve/CVE-2018-1949>) **DESCRIPTION:** IBM Security Identity Governance Virtual Appliance discloses sensitive information to unauthorized users. The information can be used to mount further attacks on the system. CVSS Base Score: 4.3 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/153429> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) **CVEID:** [CVE-2018-1950](<https://vulners.com/cve/CVE-2018-1950>) **DESCRIPTION:** IBM Security Identity Governance Virtual Appliance generates an error message that includes sensitive information about its environment, users, or associated data which could be used in further attacks against the system. CVSS Base Score: 4.3 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/153430> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) ## Affected Products and Versions IBM Security Identity Governance and Intelligence (IGI) 5.2, 5.2.1, 5.2.2, 5.2.2.1, 5.2.3, 5.2.3.1, 5.2.3.2, 5.2.4, 5.2.4.1 ## Remediation/Fixes Product Name | VRMF | First Fix ---|---|--- IGI | 5.2 | [5.2.5.0-ISS-ISIG-VA-FP0000](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Tivoli/IBM+Security+Identity+Governance&release=5.2.5.0&platform=Linux&function=all>) IGI | 5.2.1 | [5.2.5.0-ISS-ISIG-VA-FP0000](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Tivoli/IBM+Security+Identity+Governance&release=5.2.5.0&platform=Linux&function=all>) IGI | 5.2.2 | [5.2.5.0-ISS-ISIG-VA-FP0000](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Tivoli/IBM+Security+Identity+Governance&release=5.2.5.0&platform=Linux&function=all>) IGI | 5.2.2.1 | [5.2.5.0-ISS-ISIG-VA-FP0000](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Tivoli/IBM+Security+Identity+Governance&release=5.2.5.0&platform=Linux&function=all>) IGI | 5.2.3 | [5.2.5.0-ISS-ISIG-VA-FP0000](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Tivoli/IBM+Security+Identity+Governance&release=5.2.5.0&platform=Linux&function=all>) IGI | 5.2.3.1 | [5.2.5.0-ISS-ISIG-VA-FP0000](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Tivoli/IBM+Security+Identity+Governance&release=5.2.5.0&platform=Linux&function=all>) IGI | 5.2.3.2 | [5.2.5.0-ISS-ISIG-VA-FP0000](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Tivoli/IBM+Security+Identity+Governance&release=5.2.5.0&platform=Linux&function=all>) IGI | 5.2.4 | [5.2.5.0-ISS-ISIG-VA-FP0000](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Tivoli/IBM+Security+Identity+Governance&release=5.2.5.0&platform=Linux&function=all>) IGI | 5.2.4.1 | [5.2.5.0-ISS-ISIG-VA-FP0000](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Tivoli/IBM+Security+Identity+Governance&release=5.2.5.0&platform=Linux&function=all>) ## Workarounds and Mitigations None ##


Affected Software


CPE Name Name Version
ibm security identity governance and intelligence 5.2
ibm security identity governance and intelligence 5.2.1
ibm security identity governance and intelligence 5.2.2
ibm security identity governance and intelligence 5.2.2.1
ibm security identity governance and intelligence 5.2.3
ibm security identity governance and intelligence 5.2.3.1
ibm security identity governance and intelligence 5.2.3.2
ibm security identity governance and intelligence 5.2.4
ibm security identity governance and intelligence 5.2.4.1

Related


ibm
software

Security Bulletin: IBM Security Directory Integrator is affected by multiple security vulnerabilities

2023-06-22T16:30:54
ibm
software

Security Bulletin: Security vulnerabilities affect multiple IBM Rational products based on IBM Jazz technology

2021-04-28T18:35:50
ibm
software

Security Bulletin: Multiple Security Vulnerabilities in ActiveMQ Affect IBM Sterling B2B Integrator

2020-02-05T00:53:36
ibm
software

Security Bulletin: Public disclosed vulnerabilities from Jackson-databind affects IBM Spectrum LSF

2019-03-01T14:00:01
ibm
software

Security Bulletin: IBM InfoSphere Change Data Capture is affected by a Jackson 2.3.3 and 2.4.4 open source library vulnerabilities

2022-03-03T17:16:13
ibm
software

Security Bulletin: IBM Security Directory Suite is vulnerable to multiple issues

2023-06-06T18:05:17
ibm
software

Security Bulletin: Vulnerabilities in Apache Tomcat affect IBM SDN VE (CVE- 2011-4905, CVE-2013-0248,CVE-2014-0050,CVE-2014-3577,CVE-2014-0054,CVE- 2013-7315,CVE-2013-6429,CVE-2014-0119,CVE-2014-0099,CVE-2014-1904)

2018-06-18T01:27:28
ibm
software

Security Bulletin: Security vulnerabilities in ActiveMQ 5.2.0 affect IBM Sterling B2B Integrator (CVE-2015-1830, CVE-2014-8110, CVE-2013-3060, CVE-2013-1880, CVE-2013-1879, CVE-2012-6551, CVE-2012-6092, CVE-2010-1587, CVE-2010-1244, CVE-2010-0684)

2018-06-16T19:48:26
ibm
software

Security Bulletin: A vulnerability in Apache Commons Fileupload affects IBM Tivoli Business Service Manager (CVE-2013-2186, CVE-2013-0248, CVE-2016-3092, CVE-2014-0050, 220723)

2022-09-26T05:34:17
ibm
software

Security Bulletin: Multiple vulnerabilities in Apache Commons FileUpload affect IBM Application Performance Management products

2023-09-25T09:03:43
ibm
software

Security Bulletin: IBM QRadar SIEM is vulnerable to Using Components with Known Vulnerabilities

2018-12-03T14:30:01
ibm
software

Security Bulletin: OpenSource Spring Source/Pivotal Spring Framework Vulnerabilities affect IBM Security Guardium (CVE-2013-7315, CVE-2013-4152, CVE-2014-0054)

2018-06-16T21:50:03
ibm
software

Security Bulletin: Security vulnerabilities have been identified in IBM Tivoli Integrated Portal (TIP) shipped with Tivoli Business Service Manager (CVE-2015-5254, CVE-2014-3600, CVE-2014-3612, CVE-2014-8110, CVE-2014-3579)

2018-06-17T15:50:03
ibm
software

Security Bulletin: Multiple vulnerabilities has been identified in Jackson JSON library shipped with IBM Tivoli Netcool/OMNIbus Integrations Transport Module Common Integration Library (CVE-2017-17485, CVE-2018-5968, CVE-2018-7489)

2018-06-17T15:51:29
ibm
software

Security Bulletin: Vulnerabilities in OpenSource Spring Source/Pivotal Spring Framework affect IBM Tivoli Netcool Configuration Manager (ITNCM) (CVE-2013-7315, CVE-2013-4152, CVE-2014-0054)

2019-01-22T16:30:15
ibm
software

Security Bulletin: OpenSource Apache ActiveMQ vulnerabilities identified with IBM Tivoli Integrated Portal (TIP) v2.2

2018-06-17T15:50:02
ibm
software

Security Bulletin: IBM Tivoli Netcool Impact is affected by multiple vulnerabilities in IBM Tivoli Integrated Portal (TIP)

2018-06-17T15:50:03
ibm
software

Security Bulletin: Multiple vulnerabilities in Jackson-databind affect IBM InfoSphere Information Server

2018-07-12T00:16:00
ibm
software

Security Bulletin: Multiple vulnerabilities within Jackson JSON library affect IBM Business Automation Workflow (CVE-2017-17485, CVE-2018-5968, CVE-2018-7489)

2023-01-03T15:55:34
ibm
software

Security Bulletin: Multiple Vulnerabilities in Apache Commons Affect IBM Sterling B2B Integrator (CVE-2016-3092, CVE-2014-0050, CVE-2013-0248)

2020-02-05T00:53:36
ibm
software

Security Bulletin: Multiple Security Vulnerabilities in Spring Framework Affect IBM Sterling B2B Integrator

2022-05-13T14:58:22
ibm
software

Security Bulletin: IBM Resilient SOAR is Using Components with Known Vulnerabilities - activemq-camel-5.15.9.jar (CVE-2015-5182, CVE-2015-5183, CVE-2015-5184, CVE-2020-1941)

2020-08-31T22:52:45
ibm
software

Security Bulletin: Multiple Vulnerabilities in Jackson Core affect IBM Maximo Asset Management

2022-04-12T22:52:18
ibm
software

Security Bulletin: IBM QRadar SIEM contains vulnerable components and libraries. (CVE-2011-4905, CVE-2014-3576)

2018-06-16T22:06:31
ibm
software

Security Bulletin: Multiple Apache Commons FileUpload vulnerabilities affects IBM Tivoli Business Service Manager (CVE-2014-0034, CVE-2014-0050, CVE-2013-2186, CVE-2016-3092)

2021-11-07T05:55:47
ibm
software

Security Bulletin: Two vulnerabilities exist in IBM Case Foundation and FileNet Business Process Manager (CVE-2012-5784 and CVE-2014-3596)

2018-06-17T12:12:09
ibm
software

Security Bulletin: IBM InfoSphere Information Server is affected by multiple vulnerabilities in Jackson databind

2021-06-02T23:46:43
ibm
software

Security Bulletin: Multiple vulnerabilities in Apache Commons FileUpload affect IBM InfoSphere Information Server

2019-07-11T20:55:02
ibm
software

Security Bulletin: IBM Sterling B2B Integrator vulnerable due to Apache Santuario XML Security for Java (CVE-2013-4517, CVE-2013-2172)

2022-10-14T21:43:17
ibm
software

Security Bulletin: Multiple Security Vulnerabilities in Apache Axis Affect IBM Sterling B2B Integrator (CVE-2014-3596, CVE-2012-5784)

2020-02-05T00:53:36
redhat
unix

(RHSA-2018:1318) Important: kernel security, bug fix, and enhancement update

2018-05-08T17:15:15
redhat
unix

(RHSA-2013:1029) Important: Fuse MQ Enterprise 7.1.0 update

2013-07-09T00:00:00
redhat
unix

(RHSA-2018:1355) Important: kernel-rt security and bug fix update

2018-05-08T22:00:35
redhat
unix

(RHSA-2018:0342) Important: rh-maven35-jackson-databind security update

2018-02-22T08:56:45
redhat
unix

(RHSA-2018:0116) Important: rh-eclipse46-jackson-databind security update

2018-01-23T05:27:26
redhat
unix

(RHSA-2015:0137) Important: Red Hat JBoss Fuse/A-MQ 6.1.0 security and bug fix update

2015-02-05T21:28:20
redhat
unix

(RHSA-2016:1424) Moderate: Red Hat JBoss Fuse/A-MQ 6.2.1 security and bug fix update

2016-07-13T19:42:20
redhat
unix

(RHSA-2018:1348) Important: kernel security update

2018-05-08T20:53:34
redhat
unix

(RHSA-2018:1345) Important: kernel security update

2018-05-08T18:47:46
redhat
unix

(RHSA-2018:1347) Important: kernel security update

2018-05-08T20:52:55
redhat
unix

(RHSA-2014:0400) Moderate: Red Hat JBoss Fuse 6.1.0 update

2014-04-14T00:00:00
redhat
unix

(RHSA-2014:0212) Moderate: Red Hat JBoss SOA Platform 5.3.1 update

2014-02-25T16:33:00
redhat
unix

(RHSA-2017:3190) Important: rh-eclipse46-jackson-databind security update

2017-11-13T04:15:22
redhat
unix

(RHSA-2018:0577) Important: Red Hat JBoss BPM Suite 6.4.9 security update

2018-03-22T08:09:42
nessus
scanner

Scientific Linux Security Update : kernel on SL7.x x86_64 (20180508)

2018-05-09T00:00:00
nessus
scanner

Oracle Linux 7 : kernel (ELSA-2018-1318)

2018-05-10T00:00:00
nessus
scanner

RHEL 7 : kernel (RHSA-2018:1318)

2018-05-09T00:00:00
nessus
scanner

CentOS 7 : kernel (CESA-2018:1318)

2018-05-31T00:00:00
nessus
scanner

Apache ActiveMQ 5.x < 5.10.1 Multiple Vulnerabilities

2015-10-22T00:00:00
nessus
scanner

RHEL 7 : kernel-rt (RHSA-2018:1355)

2018-05-09T00:00:00
nessus
scanner

Apache ActiveMQ 5.x < 5.10.1 / 5.11.0 Multiple Vulnerabilities

2015-02-16T00:00:00
nessus
scanner

Amazon Linux 2 : kernel (ALAS-2018-1023)

2018-05-30T00:00:00
nessus
scanner

RHEL 7 : rh-maven35-jackson-databind (RHSA-2018:0342)

2018-04-30T00:00:00
nessus
scanner

JFrog < 7.8.1 Multiple Vulnerabilities

2021-03-12T00:00:00
nessus
scanner

Debian DSA-3330-1 : activemq - security update

2015-08-13T00:00:00
nessus
scanner

RHEL 7 : kernel (RHSA-2018:1347)

2018-05-09T00:00:00
nessus
scanner

RHEL 7 : rh-eclipse46-jackson-databind (RHSA-2018:0116)

2018-04-30T00:00:00
nessus
scanner

GLSA-202107-39 : Apache Commons FileUpload: Multiple vulnerabilities

2022-01-24T00:00:00
nessus
scanner

Ubuntu 14.04 LTS / 16.04 LTS : Linux kernel vulnerabilities (USN-3641-1)

2018-05-09T00:00:00
nessus
scanner

RHEL 7 : kernel (RHSA-2018:1348)

2018-05-09T00:00:00
nessus
scanner

RHEL 7 : kernel (RHSA-2018:1345)

2018-05-09T00:00:00
nessus
scanner

Amazon Linux AMI : kernel (ALAS-2018-1023)

2018-05-30T00:00:00
nessus
scanner

Debian DSA-4114-1 : jackson-databind - security update

2018-02-16T00:00:00
nessus
scanner

openSUSE Security Update : axis (openSUSE-2019-1497)

2019-06-04T00:00:00
nessus
scanner

F5 Networks BIG-IP : Apache Axis vulnerability (SOL16821)

2016-09-02T00:00:00
nessus
scanner

FreeBSD : payara -- Default typing issue in Jackson Databind (93f8e0ff-f33d-11e8-be46-0019dbb15b3f)

2018-11-29T00:00:00
nessus
scanner

openSUSE Security Update : axis (openSUSE-2019-1526)

2019-06-10T00:00:00
nessus
scanner

Debian DLA-169-1 : axis security update

2015-03-26T00:00:00
oraclelinux
unix

kernel security, bug fix, and enhancement update

2018-05-09T00:00:00
oraclelinux
unix

kernel security update

2018-05-22T00:00:00
openvas
scanner

CentOS Update for kernel CESA-2018:1318 centos7

2018-06-05T00:00:00
openvas
scanner

Apache ActiveMQ < 5.10.1 Multiple Security Vulnerabilities (Windows)

2017-11-07T00:00:00
openvas
scanner

Apache ActiveMQ < 5.10.1 Multiple Security Vulnerabilities (Linux)

2017-11-07T00:00:00
openvas
scanner

Fedora Update for jackson-databind FEDORA-2018-e4b025841e

2018-02-08T00:00:00
openvas
scanner

Fedora Update for jackson-databind FEDORA-2018-bbf8c38b51

2018-02-08T00:00:00
openvas
scanner

Apache ActiveMQ Multiple Vulnerabilities

2013-04-27T00:00:00
openvas
scanner

Ubuntu Update for linux USN-3641-1

2018-05-09T00:00:00
openvas
scanner

Debian Security Advisory DSA 3330-1 (activemq - security update)

2015-08-07T00:00:00
openvas
scanner

Debian Security Advisory DSA 3330-1 (activemq - security update)

2015-08-07T00:00:00
openvas
scanner

Apache ActiveMQ < 5.9.0 Multiple Cross Site Scripting Vulnerabilities

2013-08-13T00:00:00
openvas
scanner

Debian Security Advisory DSA 4114-1 (jackson-databind - security update)

2018-02-15T00:00:00
openvas
scanner

RedHat Update for axis RHSA-2014:1193-01

2014-09-16T00:00:00
openvas
scanner

CentOS Update for axis CESA-2014:1193 centos6

2014-09-16T00:00:00
openvas
scanner

openSUSE: Security Advisory for axis (openSUSE-SU-2019:1526-1)

2019-06-08T00:00:00
openvas
scanner

Debian Security Advisory DSA 4037-1 (jackson-databind - security update)

2017-11-16T00:00:00
openvas
scanner

Debian Security Advisory DSA 2890-1 (libspring-java - security update)

2014-03-29T00:00:00
openvas
scanner

openSUSE: Security Advisory for axis (openSUSE-SU-2019:1497-1)

2019-06-04T00:00:00
openvas
scanner

CentOS Update for axis CESA-2014:1193 centos5

2014-09-16T00:00:00
centos
unix

kernel, perf, python security update

2018-05-30T18:29:24
fedora
unix

[SECURITY] Fedora 26 Update: jackson-databind-2.7.6-8.fc26

2018-02-07T13:00:23
fedora
unix

[SECURITY] Fedora 27 Update: jackson-databind-2.7.6-8.fc27

2018-02-07T13:18:19
fedora
unix

[SECURITY] Fedora 27 Update: jackson-databind-2.7.6-5.fc27

2017-11-15T17:58:38
prion
NVD

Xxe

2014-04-17T14:55:00
prion
NVD

Xxe

2014-01-26T16:58:00
prion
NVD

Remote code execution

2018-01-22T04:29:00
prion
NVD

Deserialization of untrusted data

2019-10-01T15:15:00
prion
NVD

Cross site scripting

2014-02-05T18:55:00
prion
NVD

Xxe

2014-01-23T21:55:00
prion
NVD

Cross site scripting

2013-04-21T21:55:00
prion
NVD

Authentication flaw

2015-08-24T14:59:00
prion
NVD

Authentication flaw

2015-08-24T14:59:00
prion
NVD

Design/Logic Flaw

2018-01-10T18:29:00
prion
NVD

Code injection

2014-08-27T00:55:00
github
software

Cross-Site Request Forgery in Spring Framework

2022-05-13T01:02:38
github
software

Cross-Site Request Forgery in Spring Framework

2022-05-13T01:02:39
github
software

Deserialization of Untrusted Data in jackson-databind

2020-06-30T20:40:50
github
software

Deserialization of Untrusted Data in org.codehaus.jackson:jackson-mapper-asl

2022-05-24T16:57:28
github
software

Apache ActiveMQ Cross-site scripting (XSS) vulnerability in the Portfolio publisher servlet

2022-05-17T03:46:32
github
software

Cross-site Scripting in Apache ActiveMQ

2022-05-17T03:46:33
github
software

Missing XML Validation in Spring Framework

2022-05-13T01:02:38
github
software

Improper Input Validation in Apache ActiveMQ

2022-05-17T03:22:06
github
software

Improper Authentication in Apache WSS4J

2022-05-14T01:14:52
github
software

Moderate severity vulnerability that affects org.apache.axis:axis

2018-10-16T20:50:58
github
software

jackson-databind vulnerable to remote code execution due to incorrect deserialization and blocklist bypass

2018-10-18T17:42:48
github
software

FasterXML jackson-databind allows unauthenticated remote code execution

2018-10-16T17:45:18
osv
software

Cross-Site Request Forgery in Spring Framework

2022-05-13T01:02:38
osv
software

Cross-Site Request Forgery in Spring Framework

2022-05-13T01:02:39
osv
software

Deserialization of Untrusted Data in jackson-databind

2020-06-30T20:40:50
osv
software

activemq - security update

2015-08-07T00:00:00
osv
software

Deserialization of Untrusted Data in org.codehaus.jackson:jackson-mapper-asl

2022-05-24T16:57:28
osv
software

Apache ActiveMQ Cross-site scripting (XSS) vulnerability in the Portfolio publisher servlet

2022-05-17T03:46:32
osv
software

Missing XML Validation in Spring Framework

2022-05-13T01:02:38
osv
software

Cross-site Scripting in Apache ActiveMQ

2022-05-17T03:46:33
osv
software

jackson-databind - security update

2018-02-15T00:00:00
osv
software

axis - security update

2015-03-10T00:00:00
osv
software

FasterXML jackson-databind allows unauthenticated remote code execution

2018-10-16T17:45:18
osv
software

Improper Authentication in Apache WSS4J

2022-05-14T01:14:52
osv
software

Improper Input Validation in Apache ActiveMQ

2022-05-17T03:22:06
osv
software

jackson-databind vulnerable to remote code execution due to incorrect deserialization and blocklist bypass

2018-10-18T17:42:48
osv
software

Moderate severity vulnerability that affects org.apache.axis:axis

2018-10-16T20:50:58
osv
software

jackson-databind - security update

2017-11-16T00:00:00
osv
software

libspring-java - security update

2014-03-29T00:00:00
ubuntucve
info

CVE-2014-0054

2014-04-17T00:00:00
ubuntucve
info

CVE-2013-6429

2014-01-26T00:00:00
ubuntucve
info

CVE-2018-5968

2018-01-22T00:00:00
ubuntucve
info

CVE-2013-1880

2014-02-05T00:00:00
ubuntucve
info

CVE-2012-6092

2013-04-21T00:00:00
ubuntucve
info

CVE-2013-7315

2014-01-23T00:00:00
ubuntucve
info

CVE-2014-3596

2014-08-27T00:00:00
ubuntucve
info

CVE-2014-3612

2015-08-24T00:00:00
ubuntucve
info

CVE-2015-6524

2015-08-24T00:00:00
ubuntucve
info

CVE-2012-5784

2012-11-04T00:00:00
debiancve
info

CVE-2014-0054

2014-04-17T14:55:00
debiancve
info

CVE-2013-6429

2014-01-26T16:58:00
debiancve
info

CVE-2018-5968

2018-01-22T04:29:00
debiancve
info

CVE-2013-1880

2014-02-05T18:55:00
debiancve
info

CVE-2013-7315

2014-01-23T21:55:00
debiancve
info

CVE-2012-6092

2013-04-21T21:55:00
debiancve
info

CVE-2014-3612

2015-08-24T14:59:00
debiancve
info

CVE-2015-6524

2015-08-24T14:59:00
debiancve
info

CVE-2014-3596

2014-08-27T00:55:00
debiancve
info

CVE-2017-17485

2018-01-10T18:29:00
cve
NVD

CVE-2014-0054

2014-04-17T14:55:00
cve
NVD

CVE-2013-6429

2014-01-26T16:58:00
cve
NVD

CVE-2018-5968

2018-01-22T04:29:00
cve
NVD

CVE-2019-10202

2019-10-01T15:15:00
cve
NVD

CVE-2013-1880

2014-02-05T18:55:00
cve
NVD

CVE-2012-6092

2013-04-21T21:55:00
cve
NVD

CVE-2013-7315

2014-01-23T21:55:00
cve
NVD

CVE-2014-3596

2014-08-27T00:55:00
cve
NVD

CVE-2014-3612

2015-08-24T14:59:00
cve
NVD

CVE-2015-6524

2015-08-24T14:59:00
cve
NVD

CVE-2018-7489

2018-02-26T15:29:00
amazon
unix

Important: kernel

2018-05-24T18:14:00
amazon
unix

Important: kernel

2018-05-25T18:12:00
checkpoint_advisories
info

Apache Struts2 Jackson Library Remote Code Execution (CVE-2017-15095; CVE-2017-17485; CVE-2017-7525; CVE-2018-7489)

2017-12-05T00:00:00
redhatcve
info

CVE-2018-5968

2020-04-09T12:20:28
redhatcve
info

CVE-2017-17485

2020-04-09T07:26:09
redhatcve
info

CVE-2019-10202

2019-10-12T02:27:16
redhatcve
info

CVE-2018-7489

2020-12-06T11:49:47
veracode
software

Remote Code Execution (RCE)

2018-01-22T07:53:13
veracode
software

Man In The Middle (MitM) Attacks Are Possible With Spoofed SSL Servers

2019-01-15T09:01:11
veracode
software

Remote Code Execution (RCE)

2019-01-15T09:20:28
veracode
software

Remote Code Execution (RCE)

2018-01-11T02:20:08
veracode
software

Remote Code Execution (RCE)

2018-02-27T02:43:42
securityvulns
software

CVE-2014-0054 Spring MVC Incomplete fix for CVE-2013-4152 / CVE-2013-6429 &#40;XXE&#41;

2014-05-05T00:00:00
securityvulns
software

[SECURITY] [DSA 3330-1] activemq security update

2015-08-24T00:00:00
securityvulns
software

CVE-2013-6429 Fix for XML External Entity &#40;XXE&#41; injection &#40;CVE-2013-4152&#41; in Spring Framework was incomplete

2014-01-19T00:00:00
debian
unix

[SECURITY] [DSA 3330-1] activemq security update

2015-08-07T21:08:36
debian
unix

[SECURITY] [DSA 4114-1] jackson-databind security update

2018-02-15T07:04:58
debian
unix

[SECURITY] [DSA 4114-1] jackson-databind security update

2018-02-15T07:04:58
debian
unix

[SECURITY] [DLA 169-1] axis security update

2015-03-10T18:47:07
debian
unix

[SECURITY] [DLA 169-1] axis security update

2015-03-10T18:47:07
debian
unix

[SECURITY] [DSA 4190-1] jackson-databind security update

2018-05-03T13:56:38
debian
unix

[SECURITY] [DSA 2890-1] libspring-java security update

2014-03-29T19:21:40
gentoo
unix

Apache Commons FileUpload: Multiple vulnerabilities

2021-07-17T00:00:00
cloudfoundry
software

USN-3641-1: Linux kernel vulnerabilities | Cloud Foundry

2018-06-05T00:00:00
ubuntu
unix

Linux kernel vulnerabilities

2018-05-08T00:00:00
ubuntu
unix

Linux kernel vulnerabilities

2018-05-08T00:00:00
thn
info

Remote Execution Flaw Threatens Apps Built Using Spring Framework — Patch Now

2018-04-06T07:58:00
atlassian
software

Insecure version of Spring Web MVC used in Confluence Analytics

2020-02-19T22:31:10
mageia
unix

Updated jackson-databind packages fix security vulnerability

2018-02-25T02:25:24
zdt
exploit

Apache ActiveMQ 5.11.1/5.13.2 - Directory Traversal / Command Execution Vulnerabilities

2016-12-03T00:00:00
f5
software

SOL16821 - Apache Axis vulnerability CVE-2014-3596

2015-06-29T00:00:00
f5
software

Apache Axis vulnerability CVE-2014-3596

2015-06-30T06:43:00
suse
unix

Security update for axis (moderate)

2019-06-07T00:00:00
suse
unix

Security update for axis (moderate)

2019-06-03T00:00:00
seebug
exploit

Jackson-databind 远程代码执行漏洞(CVE-2017-17485)

2018-01-11T00:00:00
freebsd
unix

payara -- Default typing issue in Jackson Databind

2018-02-26T00:00:00