Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM6C70BBD2D1B5B0FA5F0B15B301868A5A4E2444A849FAAB2C2F88558997C5D77B
HistorySep 14, 2022 - 3:02 p.m.

Security Bulletin: Reverse tabnabbing vulnerability in IBM Business Automation Workflow and IBM Business Process Manager (BPM) (CVE-2019-4425)

2022-09-1415:02:20
www.ibm.com
10
ibm business automation workflow
ibm bpm
vulnerability
reverse tabnabbing
cve-2019-4425
security bulletin
remediation
ifix
upgrade

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:S/C:P/I:N/A:N

CVSS3

5.7

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

31.0%

JSON

Summary

A reverse tabnabbing vulnerability in IBM Business Automation Workflow and IBM BPM has been found.

Vulnerability Details

CVEID: CVE-2019-4425 DESCRIPTION: IBM Business Automation Workflow could allow a user to obtain highly sensitive information from another user by inserting links that would be clicked on by unsuspecting users.
CVSS Base Score: 5.7
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/162771&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N)

Affected Products and Versions

- IBM Business Automation Workflow V18.0.0.0 through V19.0.0.2

- IBM Business Process Manager V8.6.0.0 through V8.6.0.0 Cumulative Fix 2018.03

- IBM Business Process Manager V8.5.7.0 through V8.5.7.0 Cumulative Fix 2017.06

- IBM Business Process Manager V8.5.6.0 through V8.5.6.0 CF2

- IBM Business Process Manager V8.5.5.0

- IBM Business Process Manager V8.5.0.0 through V8.5.0.2

- IBM Business Process Manager V8.0.0.0 through V8.0.1.3

Remediation/Fixes

Install interim fix JR61123 as appropriate for your current IBM Business Automation Workflow or IBM BPM version.

For IBM Business Automation Workflow V18.0.0.0 through V19.0.0.2
ยท Upgrade to at least IBM Business Automation Workflow V18.0.0.1 as required by iFix and then apply iFix JR61123
--ORโ€“
ยท Apply cumulative fix IBM Business Automation Workflow V19.0.0.3

For IBM BPM V8.6.0.0 through V8.6.0.0 CF 2018.03
ยท Upgrade to at least IBM BPM V8.6.0.0 CF 2017.12 as required by iFix and then apply iFix JR61123

For IBM BPM V8.5.7.0 through V8.5.7.0 CF 2017.06
ยท Apply Cumulative Fix 2017.06 and then apply iFix JR61123

For IBM BPM V8.5.6.0 through V8.5.6.0 CF2
ยท Apply CF2 as required by iFix and then apply iFix JR61123

For IBM BPM V8.5.5.0
ยท Apply iFix JR61123

For IBM BPM V8.5.0.0 through V8.5.0.2
ยท Install Fix Pack 2 as required by iFix and then apply iFix JR61123

For IBM BPM V8.0.0.0 through V8.0.1.3

ยท Upgrade to minimal Refresh Pack 1, install Fix Pack 3 as required by iFix and then apply iFix JR61123

As IBM Business Process Manager V8.0 is out of general support, customers with a support extension contract can contact IBM support to request the fix.

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmbusiness_automation_workflowMatch18.0.0.0
OR
ibmbusiness_automation_workflowMatch18.0.0.1
OR
ibmbusiness_automation_workflowMatch18.0.0.2
OR
ibmbusiness_process_managerMatch8.6.0.
OR
ibmbusiness_process_managerMatch201803
OR
ibmbusiness_process_managerMatch8.6.0.
OR
ibmbusiness_process_managerMatch201712
OR
ibmbusiness_process_managerMatch8.6
OR
ibmbusiness_process_managerMatch8.5.7.advanced
OR
ibmbusiness_process_managerMatch201706advanced
OR
ibmbusiness_process_managerMatch8.5.7.advanced
OR
ibmbusiness_process_managerMatch201703advanced
OR
ibmbusiness_process_managerMatch8.5.7.advanced
OR
ibmbusiness_process_managerMatch201612advanced
OR
ibmbusiness_process_managerMatch8.5.7.advanced
OR
ibmbusiness_process_managerMatch201609advanced
OR
ibmbusiness_process_managerMatch8.5.7.advanced
OR
ibmbusiness_process_managerMatch201606advanced
OR
ibmbusiness_process_managerMatch8.5.7advanced
OR
ibmbusiness_process_managerMatch8.5.6.2advanced
OR
ibmbusiness_process_managerMatch8.5.6.1advanced
OR
ibmbusiness_process_managerMatch8.5.6advanced
OR
ibmbusiness_process_managerMatch8.6.0.express
OR
ibmbusiness_process_managerMatch201803express
OR
ibmbusiness_process_managerMatch8.6.0.express
OR
ibmbusiness_process_managerMatch201712express
OR
ibmbusiness_process_managerMatch8.6express
OR
ibmbusiness_process_managerMatch8.5.7.express
OR
ibmbusiness_process_managerMatch201706express
OR
ibmbusiness_process_managerMatch8.5.7.express
OR
ibmbusiness_process_managerMatch201703express
OR
ibmbusiness_process_managerMatch8.5.7.express
OR
ibmbusiness_process_managerMatch201612express
OR
ibmbusiness_process_managerMatch8.5.7.express
OR
ibmbusiness_process_managerMatch201609express
OR
ibmbusiness_process_managerMatch8.5.7.express
OR
ibmbusiness_process_managerMatch201606express
OR
ibmbusiness_process_managerMatch8.5.7express
OR
ibmbusiness_process_managerMatch8.5.6.2express
OR
ibmbusiness_process_managerMatch8.5.6.1express
OR
ibmbusiness_process_managerMatch8.5.6express
OR
ibmbusiness_process_managerMatch8.5.7.standard
OR
ibmbusiness_process_managerMatch201706standard
OR
ibmbusiness_process_managerMatch8.5.7.standard
OR
ibmbusiness_process_managerMatch201703standard
OR
ibmbusiness_process_managerMatch8.5.7.standard
OR
ibmbusiness_process_managerMatch201612standard
OR
ibmbusiness_process_managerMatch8.5.7.standard
OR
ibmbusiness_process_managerMatch201609standard
OR
ibmbusiness_process_managerMatch8.5.7.standard
OR
ibmbusiness_process_managerMatch201606standard
OR
ibmbusiness_process_managerMatch8.5.7standard
OR
ibmbusiness_process_managerMatch8.5.6.2standard
OR
ibmbusiness_process_managerMatch8.5.6.1standard
OR
ibmbusiness_process_managerMatch8.5.6standard
VendorProductVersionCPE
ibmbusiness_automation_workflow18.0.0.0cpe:2.3:a:ibm:business_automation_workflow:18.0.0.0:*:*:*:*:*:*:*
ibmbusiness_automation_workflow18.0.0.1cpe:2.3:a:ibm:business_automation_workflow:18.0.0.1:*:*:*:*:*:*:*
ibmbusiness_automation_workflow18.0.0.2cpe:2.3:a:ibm:business_automation_workflow:18.0.0.2:*:*:*:*:*:*:*
ibmbusiness_process_manager8.6.0.cpe:2.3:a:ibm:business_process_manager:8.6.0.:*:*:*:*:*:*:*
ibmbusiness_process_manager201803cpe:2.3:a:ibm:business_process_manager:201803:*:*:*:*:*:*:*
ibmbusiness_process_manager201712cpe:2.3:a:ibm:business_process_manager:201712:*:*:*:*:*:*:*
ibmbusiness_process_manager8.6cpe:2.3:a:ibm:business_process_manager:8.6:*:*:*:*:*:*:*
ibmbusiness_process_manager8.5.7.cpe:2.3:a:ibm:business_process_manager:8.5.7.:*:*:*:advanced:*:*:*
ibmbusiness_process_manager201706cpe:2.3:a:ibm:business_process_manager:201706:*:*:*:advanced:*:*:*
ibmbusiness_process_manager201703cpe:2.3:a:ibm:business_process_manager:201703:*:*:*:advanced:*:*:*
Rows per page:
1-10 of 411

Related

prion 1
cvelist 1
cve 1
nvd 1
prion
prion
Code injection
2019-08-20 19:15:00
cvelist
cvelist
CVE-2019-4425
2019-08-20 18:25:26
cve
cve
CVE-2019-4425
2019-08-20 19:15:12
nvd
nvd
CVE-2019-4425
2019-08-20 19:15:12

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:S/C:P/I:N/A:N

CVSS3

5.7

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

31.0%

JSON
Related for 6C70BBD2D1B5B0FA5F0B15B301868A5A4E2444A849FAAB2C2F88558997C5D77B
prion1cvelist1cve1nvd1