Lucene search

K
ibmIBME310185BE54E51CFF10493C7633774F32119E4171818C194880F59739AAA4089
HistoryNov 18, 2020 - 8:31 p.m.

Security Bulletin: CVE-2019-10173CVE-2019-10173 xstream API If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands

2020-11-1820:31:41
www.ibm.com
27
xstream api
remote attacker
arbitrary shell commands
ibm urbancode deploy
xml deserialization
cve-2019-10173

EPSS

0.932

Percentile

99.1%

Summary

CVE-2019-10173 xstream API If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands

Vulnerability Details

CVEID:CVE-2019-10173
**DESCRIPTION:**xstream API could allow a remote attacker to execute arbitrary commands on the system, caused by insecure XML deserialization. By sending a specially-crafted data, an attacker could exploit this vulnerability to execute arbitrary commands on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/164187 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
UCD - IBM UrbanCode Deploy 6.2.7.4
UCD - IBM UrbanCode Deploy 6.2.7.3
UCD - IBM UrbanCode Deploy 7.0.4.0
UCD - IBM UrbanCode Deploy 7.0.3.0
UCD - IBM UrbanCode Deploy All

Remediation/Fixes

Upgrade to 6.2.7.9, 7.0.5.4, 7.1.1.0 or later.

Workarounds and Mitigations

None

EPSS

0.932

Percentile

99.1%