Medium Severity

Security Bulletin: API Connect is impacted by credential caching

Dec 13, 2019 7:00 pm EST | Medium Severity

CVEID:   CVE-2019-4444 DESCRIPTION:  IBM API Connect Developer Portal's user registration page does not disable password autocomplete. An attacker with access to the browser instance and local system credentials can steal the credentials used for registration.CVSS Base score: 5.1CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/163453 for the current score.CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)   ...read more


Security Bulletin: A security vulnerability has been identified in Kubernetes shipped with PowerAI Vision

Dec 13, 2019 7:00 pm EST | Medium Severity

CVEID:   CVE-2019-11246 DESCRIPTION:   The kubectl cp command allows copying files between containers and the user machine. To copy files from a container, Kubernetes runs tar inside the container to create a tar archive, copies it over the network, and kubectl unpacks it on the user?s machine. If the tar binary in the container is malicious, it could run any code and output unexpected, malicious results. An attacker could use this to write files to any path on the user?s machine when kubectl cp is called, limited only by the system permissions of the local user. Kubernetes affected versions include versions prior to 1.12.9, versions prior to 1.13.6, versions prior to 1.14.2, and versions 1.1, 1.2, 1.4, 1.4, 1.5, 1.6, 1.7, 1.8, 1.9, 1.10, 1.11.CVSS Base score: 5.3CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/162892 for the current score.CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N) ...read more


Security Bulletin: IBM MQ is vulnerable to a denial of service attack caused by an abend while processing messages. (CVE-2019-4560)

Dec 13, 2019 7:00 pm EST | Medium Severity

CVEID: CVE-2019-4560 DESCRIPTION: IBM MQ is vulnerable to a denial of service attack caused by channels processing poorly formatted messages.CVSS Base score: 5.3CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/166357 for the current score.CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H) ...read more


Security Bulletin: Multiple vulnerabilities affect IBM Tivoli Monitoring embedded WebSphere Application and IHS server

Dec 12, 2019 7:00 pm EST | Medium Severity

CVEID:   CVE-2019-0220 DESCRIPTION:   A vulnerability was found in Apache HTTP Server 2.4.0 to 2.4.38. When the path component of a request URL contains multiple consecutive slashes ('/'), directives such as LocationMatch and RewriteRule must account for duplicates in regular expressions while other aspects of the servers processing will implicitly collapse them.CVSS Base score: 5.3CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/158948 for the current score.CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) CVEID:   CVE-2019-10098 DESCRIPTION:   In Apache HTTP server 2.4.0 to 2.4.39, Redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an unexpected URL within the request URL.CVSS Base score: 3.7CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/165366 for the current score.CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) CVEID:   CVE-2019-10092 DESCRIPTION:   In Apache HTTP Server 2.4.0-2.4.39, a limited cross-site scripting issue was reported affecting the mod_proxy error page. An attacker could cause the link on the error page to be malformed and instead point to a page of their choice. This would only be exploitable where a server was set up with proxying enabled but was misconfigured in such a way that the Proxy Error page was displayed.CVSS Base score: 4.7CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/165367 for the current score.CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N) CVEID:   CVE-2018-20843 DESCRIPTION:   In libexpat in Expat before 2.2.7, XML input including XML names that contain a large number of colons could make the XML parser consume a high amount of RAM and CPU resources while processing (enough to be usable for denial-of-service attacks).CVSS Base score: 3.3CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/163073 for the current score.CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) CVEID:   CVE-2019-4080 DESCRIPTION:   IBM WebSphere Application Server Admin Console 7.5, 8.0, 8.5, and 9.0 is vulnerable to a potential denial of service, caused by improper parameter parsing. A remote attacker could exploit this to consume all available CPU resources. IBM X-Force ID: 157380.CVSS Base score: 6.5CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/157380 for the current score.CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) CVEID:   CVE-2019-4441 DESCRIPTION:   IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0, and Liberty could allow a remote attacker to obtain sensitive information when a stack trace is returned in the browser. IBM X-Force ID: 163177.CVSS Base score: 5.3CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/163177 for the current score.CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) CVEID:   CVE-2019-4477 DESCRIPTION:   IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a user with access to audit logs to obtain sensitive information, caused by improper handling of command line options. IBM X-Force ID: 163997.CVSS Base score: 5.3CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/163997 for the current score.CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N) CVEID:   CVE-2019-4046 DESCRIPTION:   IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to a denial of service, caused by improper handling of request headers. A remote attacker could exploit this vulnerability to cause the consumption of Memory. IBM X-Force ID: 156242.CVSS Base score: 5.9CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/156242 for the current score.CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) CVEID:   CVE-2019-4268 DESCRIPTION:   IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL containing "dot dot" sequences (/../) to view arbitrary files on the system. IBM X-Force ID: 160201.CVSS Base score: 5.3CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/160201 for the current score.CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) CVEID:   CVE-2019-4270 DESCRIPTION:   IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 Admin Console is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 160203.CVSS Base score: 5.4CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/160203 for the current score.CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) CVEID:   CVE-2019-4442 DESCRIPTION:   IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9,0 could allow a remote attacker to traverse directories on the file system. An attacker could send a specially-crafted URL request to view arbitrary files on the system but not content. IBM X-Force ID: 163226.CVSS Base score: 4.3CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/163226 for the current score.CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) ...read more


Security Bulletin: A cross site scripting security vulnerability has been identified with Case Builder component in IBM Case Manager (CVE-2019-4426)

Dec 12, 2019 7:00 pm EST | Medium Severity

CVEID:   CVE-2019-4426 DESCRIPTION:   CVSS Base score: 5.4CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/162772 for the current score.CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) ...read more


Security Bulletin: A cross site scripting security vulnerability has been identified with Case Builder component shipped with IBM Business Automation Workflow (CVE-2019-4426)

Dec 12, 2019 7:00 pm EST | Medium Severity

CVEID:   CVE-2019-4426 DESCRIPTION:   Case Builder component shipped with IBM Business Automation Workflow and IBM Case Manager is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.CVSS Base score: 5.4CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/162772 for the current score.CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) ...read more


Security Bulletin: Man in the middle vulnerability in Liberty for Java for IBM Cloud (CVE-2014-3603)

Dec 11, 2019 7:00 pm EST | Medium Severity

CVEID:   CVE-2014-3603 DESCRIPTION:   The (1) HttpResource and (2) FileBackedHttpResource implementations in Shibboleth Identity Provider (IdP) before 2.4.1 and OpenSAML Java 2.6.2 do not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.CVSS Base score: 6.5CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/164271 for the current score.CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N) ...read more


Security Bulletin: One vulnerability of Mozzila Firefox (less than Firefox 60.7.2 ESR) has affected Synthetic Playback Agent 8.1.4.0 – 8.1.4 IF07

Dec 11, 2019 7:00 pm EST | Medium Severity

CVEID:   CVE-2019-11708 DESCRIPTION:   Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the non-sandboxed parent process opening web content chosen by a compromised child process. When combined with additional vulnerabilities this could result in executing arbitrary code on the user's computer. This vulnerability affects Firefox ESR < 60.7.2, Firefox < 67.0.4, and Thunderbird < 60.7.2.CVSS Base score: 6.3CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/162774 for the current score.CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L) ...read more


Security Bulletin: One vulnerability of Mozzila Firefox (less than Firefox 60.7.1 ESR) has affected Synthetic Playback Agent 8.1.4.0 – 8.1.4 IF07

Dec 11, 2019 7:00 pm EST | Medium Severity

CVEID:   CVE-2019-11707 DESCRIPTION:   A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw. This vulnerability affects Firefox ESR < 60.7.1, Firefox < 67.0.3, and Thunderbird < 60.7.2.CVSS Base score: 6.5CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/162711 for the current score.CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) ...read more