IBM Cúram Social Program Management uses the FasterXML Jackson libraries, for which there is a publicly known vulnerability. For this vulnerability FasterXML Jackson Databind could provide weaker than expected security, caused by not having entity expansion secured properly.
CVEID:CVE-2020-25649
**DESCRIPTION:**FasterXML Jackson Databind could provide weaker than expected security, caused by not having entity expansion secured properly. A remote attacker could exploit this vulnerability to launch XML external entity (XXE) attacks to have impact over data integrity.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/192648 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
Affected Product(s) | Version(s) |
---|---|
Curam SPM | 7.0.10 - 7.0.11 |
Curam SPM | 7.0.5 - 7.0.9 |
Product | VRMF | Remediation/First Fix |
---|---|---|
Cúram SPM |
7.0.11
| Visit IBM Fix Central and upgrade to 7.0.11_iFix2 or a subsequent 7.0.11 release.
Cúram SPM|
7.0.9
| Visit IBM Fix Central and upgrade to 7.0.9.0_iFix7 or a subsequent 7.0.4 release.
For information about all other versions, contact IBM Cúram Social Program Management customer support.