Risk | Medium |
Patch available | YES |
Number of vulnerabilities | 4 |
CVE-ID | CVE-2019-4214 CVE-2019-4243 CVE-2019-4216 CVE-2019-4215 |
CWE-ID | CWE-276 CWE-74 CWE-451 |
Exploitation vector | Network |
Public exploit | N/A |
Vulnerable software Subscribe |
IBM SmartCloud Analytics Server applications / Frameworks for developing and running applications |
Vendor | IBM Corporation |
Security Bulletin
This security bulletin contains information about 4 vulnerabilities.
EUVDB-ID: #VU22969
Risk: Low
CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-4214
CWE-ID: N/A
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information on the target system.
The vulnerability exists due to the affected software does not set the secure attribute on authorization tokens or session cookies. A remote attacker can intercept the transmission and obtain information from the cookie in clear text.
MitigationInstall updates from vendor's website.
Vulnerable software versionsIBM SmartCloud Analytics: 1.3.1 - 1.3.5
External linkshttp://exchange.xforce.ibmcloud.com/vulnerabilities/159185
http://www.ibm.com/support/pages/node/1110171
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU22972
Risk: Low
CVSSv3.1: 4.5 [CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-4243
CWE-ID:
CWE-276 - Incorrect Default Permissions
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to incorrect default permissions for files and folders that are set by the application. A local user with access to the system can view contents of files and directories, such as solrconfig.xml or perform disruptive administrator tasks.
MitigationInstall updates from vendor's website.
Vulnerable software versionsIBM SmartCloud Analytics: 1.3.1 - 1.3.5
External linkshttp://exchange.xforce.ibmcloud.com/vulnerabilities/159517
http://www.ibm.com/support/pages/node/1109721
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU22971
Risk: Medium
CVSSv3.1: 4 [CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-4216
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform host header injection attack.
The vulnerability exists due to improper validation of input. A remote authenticated attacker can abuse the HTTP Host header that could lead to HTTP cache poisoning or firewall bypass.
MitigationInstall updates from vendor's website.
Vulnerable software versionsIBM SmartCloud Analytics: 1.3.1 - 1.3.5
External linkshttp://exchange.xforce.ibmcloud.com/vulnerabilities/159187
http://www.ibm.com/support/pages/node/1109745
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU22970
Risk: Medium
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-4215
CWE-ID:
CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform clickjacking attack.
The vulnerability exists due to incorrect processing of user-supplied data. A remote attacker can trick a victim to visit a malicious website and hijack the victim's click actions.
Install updates from vendor's website.
Vulnerable software versionsIBM SmartCloud Analytics: 1.3.1 - 1.3.5
External linkshttp://exchange.xforce.ibmcloud.com/vulnerabilities/159186
http://www.ibm.com/support/pages/node/1109769
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.