Multiple vulnerabilities in IBM Cloud Pak for Automation
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 26 |
| CVE-ID | CVE-2020-14581 CVE-2020-4557 CVE-2020-11080 CVE-2020-8174 CVE-2020-8172 CVE-2020-4698 CVE-2020-1960 CVE-2020-4516 CVE-2019-17639 CVE-2020-14577 CVE-2020-14578 CVE-2020-14579 CVE-2020-14556 CVE-2020-14621 CVE-2020-14593 CVE-2020-14583 CVE-2020-2754 CVE-2020-2755 CVE-2020-2756 CVE-2020-2757 CVE-2020-2800 CVE-2020-2781 CVE-2020-2830 CVE-2019-14892 CVE-2020-7656 CVE-2020-4577 |
| CWE-ID | CWE-20 CWE-79 CWE-400 CWE-119 CWE-285 CWE-74 CWE-843 CWE-502 CWE-451 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #25 is available. |
| Vulnerable software |
IBM Cloud Pak for Business Automation Server applications / Other server solutions |
| Vendor | IBM Corporation |
Security Bulletin
This security bulletin contains information about 26 vulnerabilities.
1) Improper input validation
EUVDB-ID: #VU30077
Risk: Low
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2020-14581
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
The vulnerability exists due to improper input validation within the 2D component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Business Automation: 20.0.1 - 20.0.2
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:20.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:20.0.2:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/6338721
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Cross-site scripting
EUVDB-ID: #VU109013
Risk: Low
CVSSv4.0: 1.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2020-4557
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote user to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. The vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Business Automation: 20.0.1 - 20.0.2
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:20.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:20.0.2:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/6338721
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Resource exhaustion
EUVDB-ID: #VU28538
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-11080
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when processing HTTP/2 SETTINGS frames. A remote attacker can trigger high CPU load by sending large HTTP/2 SETTINGS frames and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Business Automation: 20.0.1 - 20.0.2
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:20.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:20.0.2:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/6338721
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Buffer overflow
EUVDB-ID: #VU28539
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2020-8174
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within napi_get_value_string_latin1(), napi_get_value_string_utf8(), or napi_get_value_string_utf16() functions. A remote attacker can create a specially crafted data to the application, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Business Automation: 20.0.1 - 20.0.2
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:20.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:20.0.2:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/6338721
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Improper Authorization
EUVDB-ID: #VU28537
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-8172
CWE-ID:
CWE-285 - Improper Authorization
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass authorization process.
The
vulnerability exists due to TLS session reuse and host certificate
verification bypass, as the 'session' event can be emitted before the
'secureConnect' event in Node.js. The application agent performs https
session caching and an unauthorized connection can be established via
the cached session ticket and treated as authorized connection.
Install update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Business Automation: 20.0.1 - 20.0.2
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:20.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:20.0.2:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/6338721
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Cross-site scripting
EUVDB-ID: #VU109014
Risk: Low
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2020-4698
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote user to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. The vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Business Automation: 20.0.1 - 20.0.2
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:20.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:20.0.2:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/6338721
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Improper Neutralization of Special Elements in Output Used by a Downstream Component
EUVDB-ID: #VU109015
Risk: Low
CVSSv4.0: 1.9 [CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2020-1960
Exploit availability: No
DescriptionThe vulnerability allows a local user to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application. A local user with local access to the machine and JMX port can execute a man-in-the-middle attack using a specially crafted request to rebind the JMXRMI registry to one under the attacker's control when running a process with an enabled JMXReporter, with a port configured via metrics.reporter.reporter_name>.port.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Business Automation: 20.0.1 - 20.0.2
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:20.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:20.0.2:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/6338721
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Cross-site scripting
EUVDB-ID: #VU109016
Risk: Low
CVSSv4.0: 1.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2020-4516
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote user to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. The vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Business Automation: 20.0.1 - 20.0.2
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:20.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:20.0.2:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/6338721
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Type Confusion
EUVDB-ID: #VU44142
Risk: High
CVSSv4.0: 7.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2019-17639
CWE-ID:
CWE-843 - Type confusion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a type confusion error on Power platforms. A remote attacker can call the System.arraycopy method with a length longer than the length of the
source or destination array and cause the current method to return prematurely with an
undefined return value. As a result, a remote attacker can influence application flow and execute arbitrary code on the target system.
Install update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Business Automation: 20.0.1 - 20.0.2
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:20.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:20.0.2:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/6338721
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Improper input validation
EUVDB-ID: #VU30080
Risk: Low
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2020-14577
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
The vulnerability exists due to improper input validation within the JSSE component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Business Automation: 20.0.1 - 20.0.2
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:20.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:20.0.2:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/6338721
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Improper input validation
EUVDB-ID: #VU30078
Risk: Low
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2020-14578
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform service disruption.
The vulnerability exists due to improper input validation within the Libraries component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Business Automation: 20.0.1 - 20.0.2
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:20.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:20.0.2:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/6338721
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Improper input validation
EUVDB-ID: #VU30079
Risk: Low
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2020-14579
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform service disruption.
The vulnerability exists due to improper input validation within the Libraries component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Business Automation: 20.0.1 - 20.0.2
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:20.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:20.0.2:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/6338721
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) Improper input validation
EUVDB-ID: #VU30075
Risk: Medium
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-14556
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
The vulnerability exists due to improper input validation within the Libraries component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Business Automation: 20.0.1 - 20.0.2
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:20.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:20.0.2:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/6338721
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
14) Improper input validation
EUVDB-ID: #VU30074
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-14621
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to manipulate data.
The vulnerability exists due to improper input validation within the JAXP component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Business Automation: 20.0.1 - 20.0.2
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:20.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:20.0.2:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/6338721
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
15) Improper input validation
EUVDB-ID: #VU30072
Risk: Medium
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-14593
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to manipulate data.
The vulnerability exists due to improper input validation within the 2D component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Business Automation: 20.0.1 - 20.0.2
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:20.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:20.0.2:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/6338721
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
16) Improper input validation
EUVDB-ID: #VU30065
Risk: High
CVSSv4.0: 4.8 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2020-14583
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
The vulnerability exists due to improper input validation within the Java component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to execute arbitrary code.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Business Automation: 20.0.1 - 20.0.2
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:20.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:20.0.2:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/6338721
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
17) Improper input validation
EUVDB-ID: #VU27227
Risk: Low
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2020-2754
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform service disruption.
The vulnerability exists due to improper input validation within the Scripting component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Business Automation: 20.0.1 - 20.0.2
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:20.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:20.0.2:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/6338721
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
18) Improper input validation
EUVDB-ID: #VU27228
Risk: Low
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2020-2755
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform service disruption.
The vulnerability exists due to improper input validation within the Scripting component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Business Automation: 20.0.1 - 20.0.2
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:20.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:20.0.2:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/6338721
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
19) Improper input validation
EUVDB-ID: #VU27230
Risk: Low
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2020-2756
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform service disruption.
The vulnerability exists due to improper input validation within the Serialization component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Business Automation: 20.0.1 - 20.0.2
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:20.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:20.0.2:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/6338721
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
20) Improper input validation
EUVDB-ID: #VU27231
Risk: Low
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2020-2757
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform service disruption.
The vulnerability exists due to improper input validation within the Serialization component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Business Automation: 20.0.1 - 20.0.2
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:20.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:20.0.2:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/6338721
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
21) Improper input validation
EUVDB-ID: #VU27224
Risk: Medium
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-2800
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
The vulnerability exists due to improper input validation within the Lightweight HTTP Server component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Business Automation: 20.0.1 - 20.0.2
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:20.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:20.0.2:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/6338721
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
22) Improper input validation
EUVDB-ID: #VU27221
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-2781
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform service disruption.
The vulnerability exists due to improper input validation within the JSSE component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Business Automation: 20.0.1 - 20.0.2
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:20.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:20.0.2:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/6338721
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
23) Improper input validation
EUVDB-ID: #VU27222
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-2830
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform service disruption.
The vulnerability exists due to improper input validation within the Concurrency component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Business Automation: 20.0.1 - 20.0.2
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:20.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:20.0.2:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/6338721
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
24) Deserialization of Untrusted Data
EUVDB-ID: #VU25833
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2019-14892
CWE-ID:
CWE-502 - Deserialization of Untrusted Data
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data of a malicious object using commons-configuration 1 and 2 JNDI classes. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Business Automation: 20.0.1 - 20.0.2
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:20.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:20.0.2:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/6338721
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
25) Cross-site scripting
EUVDB-ID: #VU28228
Risk: Medium
CVSSv4.0: 2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P/U:Green]
CVE-ID: CVE-2020-7656
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data within the load() function. A remote attacker can pass specially crafted HTML code to the application and execute it in browser in security context of the affected website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
PoC:
index.html:
<html>
<head>
<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.3/jquery.js"></script>
</head>
<body>
<div id="mydiv"></div>
<script>
$("#mydiv").load('inject.html #himom');
</script>
</body>
</html>inject.html:
<div id="himom"><script>alert('Arbitrary Code Execution');</script ></div>Install update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Business Automation: 20.0.1 - 20.0.2
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:20.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:20.0.2:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/6338721
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
26) Spoofing attack
EUVDB-ID: #VU109017
Risk: Low
CVSSv4.0: 0.4 [CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2020-4577
CWE-ID:
CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)
Exploit availability: No
DescriptionThe vulnerability allows a remote user to perform spoofing attack.
The vulnerability exists due to incorrect processing of user-supplied data. A remote user can persuade a victim to visit a malicious Web site and exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Business Automation: 20.0.1 - 20.0.2
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:20.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:20.0.2:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/6338721
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
