IBME0776B408B5AC23FBCD9630060E22B9F8B24DD6EA282E4F7660D832B5442EE2FSecurity Bulletin: IBM WebSphere Application Server, shipped as part of IBM Cloud Pak for Appplications, is vulnerable to an XML External Entity (XXE) Injection vulnerability (CVE-2021-20492)
8.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L
6.4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:N/A:P
0.002 Low
EPSS
Percentile
50.1%
Summary
Java Batch which is shipped with the IBM WebSphere Application Server Liberty and Traditional profiles, is vulnerable to an XML External Entity (XXE) Injection vulnerability (CVE-2021-20492)
Vulnerability Details
Refer to the security bulletin(s) listed in the Remediation/Fixes section
Affected Products and Versions
| Principal Product(s) and Version(s) | Affected Supporting Product(s) and Versions(s) |
|---|---|
| IBM Cloud Pak for Applications, All versions |
WebSphere Application Server Liberty
- 17.0.0.3 - 21.0.0.5
WebSphere Application Server
- 9
- 8.5
- 8
Remediation/Fixes
Workarounds and Mitigations
None
8.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L
6.4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:N/A:P
0.002 Low
EPSS
Percentile
50.1%