Lucene search

IBM25F67427B3CB716CD779279781C3805091614F56FBDF720352221C7BFCD61545

HistoryJul 12, 2023 - 9:22 p.m.

Security Bulletin: IBM Match 360 is vulnerable to CVE-2019-10202 and CVE-2019-10172 for jackson-mapper-asl

2023-07-1221:22:04

www.ibm.com

ibm match 360

remote code execution

sensitive information disclosure

cve-2019-10202

cve-2019-10172

jackson-mapper-asl

xml external entity error

upgrade fix

public cloud

version 4.7.1

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.019

Percentile

88.9%

JSON

Summary

Match 360 is vulnerable to the following CVEs: CVE-CVE-2019-10202 and CVE-2019-10172

Vulnerability Details

CVEID:CVE-2019-10202
**DESCRIPTION:**Red Hat JBoss Enterprise Application Platform (EAP) could allow a remote attacker to execute arbitrary code on the system, caused by improper deserialization in Codehaus. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 8.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/168251 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2019-10172
**DESCRIPTION:**Jackson-mapper-asl could allow a remote attacker to obtain sensitive information, caused by an XML external entity (XXE) error when processing XML data. By sending a specially-crafted XML data, a remote attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/172436 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Match 360	All

Remediation/Fixes

Upgrade Match 360 to version 4.7.1 or higher. Services in public cloud have been updated with the latest version to resolve these CVEs.

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmibm_match_360Matchany

VendorProductVersionCPE
ibmibm_match_360anycpe:2.3:a:ibm:ibm_match_360:any:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	ibm_match_360	any	cpe:2.3:a:ibm:ibm_match_360:any:::::::*

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.019

Percentile

88.9%

JSON

Related for 25F67427B3CB716CD779279781C3805091614F56FBDF720352221C7BFCD61545