Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM0E50F65C808F586500821D496AAB7015EB99419AB5D863F7D208E9A2EC299498
HistoryFeb 26, 2021 - 5:14 p.m.

Security Bulletin: Multiple vulnerabilities affect the IBM Performance Management product

2021-02-2617:14:58
www.ibm.com
10
ibm performance management
vulnerabilities
xss
spoofing
information disclosure
8.1.4.0-ibm-apm-server-if0011

EPSS

0.001

Percentile

29.7%

JSON

Summary

Multiple vulnerabilities affect the IBM Performance Management product.

Vulnerability Details

CVEID:CVE-2020-4726
**DESCRIPTION:**The IBM Application Performance Monitoring UI allows web pages to be stored locally which can be read by another user on the system.
CVSS Base score: 4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/187975 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID:CVE-2020-4421
**DESCRIPTION:**IBM WebSphere Application Liberty 19.0.0.5 through 20.0.0.4 could allow an authenticated user using openidconnect to spoof another users identify. IBM X-Force ID: 180084.
CVSS Base score: 5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/180084 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L)

CVEID:CVE-2020-4719
**DESCRIPTION:**The APM server will issue a DNS request to resolve any hostname specified in the Cloud Event Management Webhook URL configuration definition. This could enable an authenticated user with admin authorization to create DNS query strings that are not hostnames.
CVSS Base score: 4.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/187861 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N)

CVEID:CVE-2020-4725
**DESCRIPTION:**IBM Monitoring could allow an authenticated user to modify HTML content by sending a specially crafted HTTP request to the APM UI, which could mislead another user.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/187974 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2020-4303
**DESCRIPTION:**IBM WebSphere Application Server - Liberty 17.0.0.3 through 20.0.0.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 176668.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/176668 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID:CVE-2020-4304
**DESCRIPTION:**IBM WebSphere Application Server - Liberty 17.0.0.3 through 20.0.0.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 176670.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/176670 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Cloud APM, Base Private 8.1.4
IBM Cloud APM, Advanced Private 8.1.4

Remediation/Fixes

The vulnerabilities can be remediated by applying the following 8.1.4.0-IBM-APM-SERVER-IF0011 or later server patch to the system where the Cloud APM server is installed: <https://www.ibm.com/support/pages/node/6415935&gt;

Workarounds and Mitigations

None

Related

ibm 35
redhat 2
cvelist 6
nvd 6
cve 6
prion 6
ibm
ibm
Security Bulletin: A security vulnerabilities has been identified in WebSphere Liberty Profile shipped with IBM License Metric Tool v9 .
2020-06-30 08:55:32
Security Bulletin: Multiple security vulnerabilities have been identified in IBM WebSphere Application Server Liberty shipped with IBM Digital Business Automation Workflow family products
2022-09-14 15:28:14
Security Bulletin: Multiple security vulnerabilities in IBM WebSphere Application Server Liberty shipped with IBM Cloud Pak System family products
2020-07-07 13:14:44
redhat
redhat
(RHSA-2020:1428) Moderate: Open Liberty 20.0.0.4 Runtime security update
2020-04-13 18:31:20
(RHSA-2020:2054) Important: Open Liberty 20.0.0.5 Runtime security update
2020-05-11 13:29:28
cvelist
cvelist
CVE-2020-4726
2021-03-02 16:55:19
CVE-2020-4719
2021-03-02 16:55:18
CVE-2020-4725
2021-03-02 16:55:19
nvd
nvd
CVE-2020-4726
2021-03-02 17:15:13
CVE-2020-4719
2021-03-02 17:15:13
CVE-2020-4421
2020-05-06 14:15:10
cve
cve
CVE-2020-4726
2021-03-02 17:15:13
CVE-2020-4719
2021-03-02 17:15:13
CVE-2020-4725
2021-03-02 17:15:13
prion
prion
Authorization
2021-03-02 17:15:00
Code injection
2021-03-02 17:15:00
Design/Logic Flaw
2021-03-02 17:15:00

EPSS

0.001

Percentile

29.7%

JSON
Related for 0E50F65C808F586500821D496AAB7015EB99419AB5D863F7D208E9A2EC299498
ibm35redhat2cvelist6nvd6cve6prion6