Lucene search

IbmCVE-2018-1801

HistoryFeb 04, 2019 - 9:29 p.m.

CVE-2018-1801

2019-02-0421:29:00

CWE-611

ibm

web.nvd.nist.gov

ibm

app connect

integration bus

websphere

message broker

v11.0.0.0

v10.0.0.0

v9.0.0.0

v8.0.0.0

xxe

vulnerability

xml

security

memory consumption

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

AI Score

5.4

Confidence

High

EPSS

0.001

Percentile

47.5%

JSON

IBM App Connect V11.0.0.0 through V11.0.0.1, IBM Integration Bus V10.0.0.0 through V10.0.0.13, IBM Integration Bus V9.0.0.0 through V9.0.0.10, and WebSphere Message Broker V8.0.0.0 through V8.0.0.9 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to consume memory resources. IBM X-Force ID: 149639.

Affected configurations

Nvd

Vulners

Node

ibmapp_connectRange11.0.0.0–11.0.0.1

ibmintegration_busRange9.0.0.0–9.0.0.10

ibmintegration_busRange10.0.0.0–10.0.0.13

ibmwebsphere_message_brokerRange8.0.0.0–8.0.0.9

VendorProductVersionCPE
ibmapp_connect*cpe:2.3:a:ibm:app_connect:*:*:*:*:*:*:*:*
ibmintegration_bus*cpe:2.3:a:ibm:integration_bus:*:*:*:*:*:*:*:*
ibmwebsphere_message_broker*cpe:2.3:a:ibm:websphere_message_broker:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	app_connect	*	cpe:2.3:a:ibm:app_connect::::::::
ibm	integration_bus	*	cpe:2.3:a:ibm:integration_bus::::::::
ibm	websphere_message_broker	*	cpe:2.3:a:ibm:websphere_message_broker::::::::

CNA Affected

[
  {
    "product": "Integration Bus",
    "vendor": "IBM",
    "versions": [
      {
        "status": "affected",
        "version": "9.0.0.0"
      },
      {
        "status": "affected",
        "version": "10.0.0.0"
      },
      {
        "status": "affected",
        "version": "9.0.0.10"
      },
      {
        "status": "affected",
        "version": "10.0.0.13"
      }
    ]
  },
  {
    "product": "WebSphere Message Broker",
    "vendor": "IBM",
    "versions": [
      {
        "status": "affected",
        "version": "8.0.0.0"
      },
      {
        "status": "affected",
        "version": "8.0.0.9"
      }
    ]
  },
  {
    "product": "App Connect",
    "vendor": "IBM",
    "versions": [
      {
        "status": "affected",
        "version": "11.0.0.0"
      },
      {
        "status": "affected",
        "version": "11.0.0.1"
      }
    ]
  }
]

References

www.ibm.com/support/docview.wss?uid=ibm10795780

exchange.xforce.ibmcloud.com/vulnerabilities/149639

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

AI Score

5.4

Confidence

High

EPSS

0.001

Percentile

47.5%

JSON

Related for CVE-2018-1801