Improper Neutralization of Special Elements in Output Used by a Downstream Component in IBM SmartCloud Analytics

#VU22971 Improper Neutralization of Special Elements in Output Used by a Downstream Component in IBM SmartCloud Analytics

Published: 2019-11-25

Vulnerability identifier: #VU22971

Vulnerability risk: Medium

CVSSv3.1: 4 [CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-4216

CWE-ID: CWE-74

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
IBM SmartCloud Analytics
Server applications / Frameworks for developing and running applications

Vendor: IBM Corporation

Description

The vulnerability allows a remote attacker to perform host header injection attack.

The vulnerability exists due to improper validation of input. A remote authenticated attacker can abuse the HTTP Host header that could lead to HTTP cache poisoning or firewall bypass.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

IBM SmartCloud Analytics: 1.3.1 - 1.3.5

External links
http://exchange.xforce.ibmcloud.com/vulnerabilities/159187
http://www.ibm.com/support/pages/node/1109745

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM SmartCloud Analytics