Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBMC633E3F919C9BCD1EAFB625FB054DC01CA44ECB316E9D13E7A22A44BF1FFF391
HistoryAug 10, 2021 - 8:12 p.m.

Security Bulletin: IBM Disconnected Log Collector is vulnerable to using components with known vulnerabilities

2021-08-1020:12:09
www.ibm.com
27
ibm disconnected log collector
vulnerability
component vulnerabilities
terracotta
guava
apache log4j
apache httpclient
fasterxml jackson databind

EPSS

0.008

Percentile

81.5%

JSON

Summary

The product includes vulnerable components (e.g., framework libraries) that may be identified and exploited with automated tools.

Vulnerability Details

CVEID:CVE-2019-13990
**DESCRIPTION:**Terracotta could allow a remote attacker to obtain sensitive information, caused by improper handling of XML external entity (XXE) declarations by the initDocumentParser function in xml/XMLSchedulingDataProcessor.java. By persuading a victim to open specially-crafted XML content, a remote attacker could exploit this vulnerability to read arbitrary files.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/165431 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)

CVEID:CVE-2020-8908
**DESCRIPTION:**Guava could allow a remote authenticated attacker to bypass security restrictions, caused by a temp directory creation vulnerability in com.google.common.io.Files.createTempDir(). By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass access restrictions.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/192996 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N)

CVEID:CVE-2020-9488
**DESCRIPTION:**Apache Log4j is vulnerable to a man-in-the-middle attack, caused by improper certificate validation with host mismatch in the SMTP appender. An attacker could exploit this vulnerability to launch a man-in-the-middle attack and gain access to the communication channel between endpoints to obtain sensitive information or further compromise the system.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/180824 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID:CVE-2020-13956
**DESCRIPTION:**Apache HttpClient could allow a remote attacker to bypass security restrictions, caused by the improper handling of malformed authority component in request URIs. By passing request URIs to the library as java.net.URI object, an attacker could exploit this vulnerability to pick the wrong target host for request execution.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/189572 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2020-25649
**DESCRIPTION:**FasterXML Jackson Databind could provide weaker than expected security, caused by not having entity expansion secured properly. A remote attacker could exploit this vulnerability to launch XML external entity (XXE) attacks to have impact over data integrity.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/192648 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

Affected Products and Versions

IBM Disconnected Log Collector v1.0 - v1.5

Remediation/Fixes

IBM Disconnected Log Collector v1.6

Workarounds and Mitigations

None

Related

redhat 14
ibm 48
ubuntucve 5
redhatcve 4
osv 30
nessus 27
openvas 10
cvelist 4
prion 5
github 6
cve 5
rosalinux 1
veracode 5
mageia 3
debiancve 5
atlassian 2
nvd 5
debian 3
f5 1
cbl_mariner 2
cgr 3
rocky 2
oraclelinux 2
almalinux 2
amazon 1
wolfi 2
fedora 1
ubuntu 1
redhat
redhat
(RHSA-2021:1044) Moderate: Red Hat Process Automation Manager 7.10.1 security update
2021-03-30 16:27:02
(RHSA-2021:0811) Low: Red Hat Integration Tech-Preview 3 Camel K security update
2021-03-11 17:45:46
(RHSA-2021:0603) Important: Red Hat Decision Manager 7.10.0 security update
2021-02-17 13:36:01
ibm
ibm
Security Bulletin: Vulnerabilities in Logback, Guava and Apache HTTPClient affect IBM watsonx.data
2024-09-25 19:04:57
Security Bulletin: IBM Resilient SOAR is Using Components with Known Vulnerabilities - Terracotta Quartz ( CVE-2019-13990)
2020-10-27 23:52:58
Security Bulletin: Quartz vulnerability affects IBM Spectrum Protect Plus (CVE-2019-13990)
2020-06-12 20:12:45
ubuntucve
ubuntucve
CVE-2019-13990
2019-07-26 00:00:00
CVE-2020-25649
2020-12-03 00:00:00
CVE-2020-9488
2020-04-27 00:00:00
redhatcve
redhatcve
CVE-2019-13990
2020-02-10 11:44:18
CVE-2020-9488
2020-05-04 17:40:34
CVE-2020-25649
2020-10-13 20:16:54
osv
osv
CVE-2019-13990
2019-07-26 19:15:11
XML external entity injection in Terracotta Quartz Scheduler
2020-07-01 17:55:03
CVE-2020-25649
2020-12-03 17:15:12
nessus
nessus
Atlassian JIRA Service Desk < 4.20.26 / 5.4.x < 5.4.10 / 5.5.x < 5.7.2 / 5.8.x < 5.8.2 / 5.9.x < 5.9.2 / 5.10.x < 5.10.1 (JSDSERVER-14401)
2023-10-20 00:00:00
RHEL 7 : rh-maven35-jackson-databind (RHSA-2020:4312)
2023-01-23 00:00:00
RHEL 8 : RHV-M(ovirt-engine) 4.4.z security, update [ovirt-4.4.4] (Low) (RHSA-2021:0381)
2021-02-03 00:00:00
openvas
openvas
Mageia: Security Advisory (MGASA-2021-0133)
2022-01-28 00:00:00
Apache Log4j 2.x < 2.13.2 Information Disclosure Vulnerability - Windows
2021-12-22 00:00:00
Apache Log4j 2.x < 2.13.2 Information Disclosure Vulnerability - Linux
2021-12-22 00:00:00
cvelist
cvelist
CVE-2019-13990
2019-07-26 00:00:00
CVE-2020-25649
2020-12-03 16:16:50
CVE-2020-9488
2020-04-27 15:36:10
prion
prion
Design/Logic Flaw
2019-07-26 19:15:00
Input validation
2020-04-27 16:15:00
Xxe
2020-12-03 17:15:00
github
github
XML external entity injection in Terracotta Quartz Scheduler
2020-07-01 17:55:03
Improper validation of certificate with host mismatch in Apache Log4j SMTP appender
2020-06-05 14:15:51
Vulnerable dependency in XTDB connector
2021-12-16 18:53:32
cve
cve
CVE-2019-13990
2019-07-26 19:15:11
CVE-2020-25649
2020-12-03 17:15:12
CVE-2020-9488
2020-04-27 16:15:12
rosalinux
rosalinux
Advisory ROSA-SA-2023-2272
2023-10-22 06:16:50
veracode
veracode
XML External Entity (XXE)
2020-02-19 04:27:53
XML External Entity (XXE)
2020-10-15 05:10:32
Information Disclosure
2020-10-26 05:09:07
mageia
mageia
Updated quartz packages fix a security vulnerability
2021-03-15 00:20:42
Updated guava packages fix security vulnerability
2021-01-10 22:46:12
Updated httpcomponents-client packages fix a security vulnerability
2021-07-07 02:12:30
debiancve
debiancve
CVE-2019-13990
2019-07-26 19:15:11
CVE-2020-25649
2020-12-03 17:15:12
CVE-2020-9488
2020-04-27 16:15:12
atlassian
atlassian
XXE (XML External Entity Injection) in Jira Service Management Data Center and Server - CVE-2019-13990
2023-09-20 15:53:19
XXE (XML External Entity Injection) jackson-databind in Jira Software Data Center and Server
2023-12-07 21:45:20
nvd
nvd
CVE-2019-13990
2019-07-26 19:15:11
CVE-2020-8908
2020-12-10 23:15:13
CVE-2020-25649
2020-12-03 17:15:12
debian
debian
[SECURITY] [DLA 2406-1] jackson-databind security update
2020-10-14 10:31:09
[SECURITY] [DLA 2405-1] httpcomponents-client security update
2020-10-10 17:12:02
[SECURITY] [DSA 4772-1] httpcomponents-client security update
2020-10-14 20:21:34
f5
f5
K15111130 : log4j 1.2.x vulnerability CVE-2020-9488
2022-02-10 00:00:00
cbl_mariner
cbl_mariner
CVE-2020-8908 affecting package guava for versions less than 25.0-7
2023-09-13 02:10:38
CVE-2020-8908 affecting package guava 25.0-5
2024-09-30 09:32:25
cgr
cgr
CVE-2020-8908 vulnerabilities
2024-05-19 03:07:16
CVE-2020-13956 vulnerabilities
2024-05-19 03:07:16
CVE-2020-25649 vulnerabilities
2024-05-19 03:07:16
rocky
rocky
maven:3.6 security and enhancement update
2022-05-10 08:04:46
maven:3.5 security update
2022-05-10 08:04:48
oraclelinux
oraclelinux
maven:3.5 security update
2022-05-17 00:00:00
maven:3.6 security and enhancement update
2022-05-17 00:00:00
almalinux
almalinux
Moderate: maven:3.5 security update
2022-05-10 08:04:48
Moderate: maven:3.6 security and enhancement update
2022-05-10 08:04:46
amazon
amazon
Medium: httpcomponents-client
2023-02-17 00:11:00
wolfi
wolfi
CVE-2020-25649 vulnerabilities
2024-05-29 03:07:31
CVE-2020-13956 vulnerabilities
2024-09-30 09:32:54
fedora
fedora
[SECURITY] Fedora 32 Update: jackson-databind-2.10.5.1-1.fc32
2021-02-10 01:30:26
ubuntu
ubuntu
HttpClient vulnerability
2022-08-08 00:00:00

EPSS

0.008

Percentile

81.5%

JSON
Related for C633E3F919C9BCD1EAFB625FB054DC01CA44ECB316E9D13E7A22A44BF1FFF391
redhat14ibm48ubuntucve5redhatcve4osv30nessus27openvas10cvelist4prion5github6cve5rosalinux1veracode5mageia3debiancve5atlassian2nvd5debian3f51cbl_mariner2cgr3rocky2oraclelinux2almalinux2amazon1wolfi2fedora1ubuntu1