6.4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:N/A:P
8.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L
0.002 Low
EPSS
Percentile
56.2%
An XML external entity security vulnerability has been reported for FileNet Content Management Interoperability Services (CMIS) shipped with IBM Business Automation Workflow and IBM BPM.
CVEID: CVE-2018-1364 DESCRIPTION: IBM Content Navigator 2.0 and 3.0 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 137449.
CVSS Base Score: 8.2
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/137449> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L)
- IBM Business Automation Workflow V18.0.0.0 through V18.0.0.1
- IBM Business Process Manager V8.6.0.0 through V8.6.0.0 Cumulative Fix 2018.03
- IBM Business Process Manager V8.5.7.0 through V8.5.7.0 Cumulative Fix 2017.06
- IBM Business Process Manager V8.5.6.0 through V8.5.6.0 CF2
- IBM Business Process Manager V8.5.5.0
- IBM Business Process Manager V8.5.0.0 through V8.5.0.2
Install interim fix PJ45479 as appropriate for your current IBM Business Automation Workflow or IBM BPM version.
For IBM Business Automation Workflow V18.0.0.0
· Upgrade to minimal cumulative fix levels as required by iFix and then apply iFix PJ45479
--OR–
· Apply Cumulative Fix V18.0.0.1 or later
For IBM BPM V8.6.0.0 through V8.6.0.0 CF 2018.03
· Upgrade to minimal cumulative fix levels as required by iFix and then apply iFix PJ45479
--OR–
· Apply Cumulative Fix 2018.03 or later
For IBM BPM V8.5.7.0 through V8.5.7.0 CF 2017.06
· Apply Cumulative Fix 2017.06 and then apply iFix PJ45479
For IBM BPM V8.5.6.0 through V8.5.6.0 CF2
· Apply CF2 as required by iFix and then apply iFix PJ45479
For IBM BPM V8.5.5.0
· Apply iFix PJ45479
For IBM BPM V8.5.0.0 through V8.5.0.02
· Install Fix Pack 2 as required by iFix and then apply iFix PJ45479
6.4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:N/A:P
8.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L
0.002 Low
EPSS
Percentile
56.2%