Lucene search

IBME0513C178FFEC5882AC83380B2E89887CC93FCDCE2800C23A1911D9C21A689FE

HistoryMar 27, 2024 - 9:25 a.m.

Security Bulletin: Enterprise Content Manager System Monitor For March 2024 - Multiple CVE adressed

2024-03-2709:25:16

www.ibm.com

remote code execution

denial of service

liquibase

xml processing

java se

enterprise content management

system monitor

cve-2022-0839

cve-2023-22049

vulnerabilities

fix

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

8 High

AI Score

Confidence

Low

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.007 Low

EPSS

Percentile

80.0%

JSON

Summary

Enterprise Content Manager System Monitor is vulnerable to multiple remote code execution and denial of service attacks in third party and open source used in the product for various functions. See full list below. The vulnerabilities have been addressed.

Vulnerability Details

CVEID:CVE-2022-0839
**DESCRIPTION:**Liquibase is vulnerable to XML external entity processing, caused by improper validation of user-supplied input by the XMLChangeLogSAXParser() function. A remote attacker could exploit this vulnerability to input a malicious XML reference to an external entity to be processed by a weakly configured XML parser. An attacker can use this vulnerability to disclose sensitive information or conduct SSRF attacks.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/221019 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID:CVE-2023-22049
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Libraries component could allow a remote attacker to cause low integrity impacts.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/261048 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
Enterprise Content Management System Monitor	5.5

Remediation/Fixes

Fixed in Enterprise Content Management System Monitor 5.5.11.0-000.

Workarounds and Mitigations

None

CPENameOperatorVersion
enterprise content management system monitoreq5.5

CPE	Name	Operator	Version
	enterprise content management system monitor	eq	5.5

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

8 High

AI Score

Confidence

Low

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.007 Low

EPSS

Percentile

80.0%

JSON

Related for E0513C178FFEC5882AC83380B2E89887CC93FCDCE2800C23A1911D9C21A689FE