IBM Cúram Social Program Management uses the Apache Commons Beanutils library, for which there is a publicly known vulnerability. The vulnerability could allow a remote attacker to gain unauthorized access to the system, caused by the failure to suppresses the class property in bean introspection by default. An attacker could exploit this vulnerability to gain unauthorized access to the classloader.
CVEID:CVE-2019-10086
**DESCRIPTION:**Apache Commons Beanutils could allow a remote attacker to gain unauthorized access to the system, caused by the failure to suppresses the class property in bean introspection by default. An attacker could exploit this vulnerability to gain unauthorized access to the classloader.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/166353 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Affected Product(s) | Version(s) |
---|---|
Curam SPM | 7.0.5.0 - 7.0.8 |
Curam SPM | 7.0.0.0 - 7.0.4.4 |
Curam SPM | 6.2.0.0 - 6.2.0.6 |
Curam SPM | 6.1.0.0 - 6.1.1.6 |
Curam SPM | 6.0.5.0 - 6.0.5.10 |
Product | VRMF | Remediation/First Fix |
---|---|---|
Cúram SPM |
7.0.9
| Visit IBM Fix Central and upgrade to 7.0.9 or a subsequent 7.0.9 release.
Cúram SPM |
7.0.4.4
| Visit IBM Fix Central and upgrade to 7.0.4.4_iFix1 or a subsequent 7.0.4.4 release.
Cúram SPM |
6.2.0.6
| Visit IBM Fix Central and upgrade to 6.2.0.6_iFix4 or a subsequent 6.2.0.6 release.
Cúram SPM |
6.1.1.6
| Visit IBM Fix Central and upgrade to 6.1.1.6_iFix4 or a subsequent 6.1.1.6 release.
Cúram SPM | 6.0.5.10 | Visit IBM Fix Central and upgrade to 6.0.5.10_iFix5 or a subsequent 6.0.5.10 release.
For information about all other versions, contact IBM Cúram Social Program Management customer support.