Improper neutralization of special elements in output used by a downstream component in IBM Cloud Automation Manager

Published: 2021-12-22 | Updated: 2023-06-06

Risk	High
Patch available	YES
Number of vulnerabilities	1
CVE-ID	CVE-2020-7769
CWE-ID	CWE-74
Exploitation vector	Network
Public exploit	N/A
Vulnerable software	IBM Cloud Automation Manager Server applications / Other server solutions
Vendor	IBM Corporation

Security Bulletin

This security bulletin contains one high risk vulnerability.

1) Improper Neutralization of Special Elements in Output Used by a Downstream Component

EUVDB-ID: #VU76973

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2020-7769

CWE-ID: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to use of crafted recipient email addresses. A remote unauthenticated attacker can trigger the vulnerability resulting in arbitrary command flag injection in sendmail transport for sending mails.

Mitigation

Install update from vendor's website.

Vulnerable software versions

IBM Cloud Automation Manager: before 4.2.0.1 iFix 2

CPE2.3

cpe:2.3:a:ibm_corporation:ibm_cloud_automation_manager:*:*:*:*:*:*:*:*

External links

https://www.ibm.com/support/pages/node/6416679

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.