Vulnerability CVE-2019-4202


Published: 2019-04-15

Description:
IBM API Connect 5.0.0.0 and 5.0.8.6 Developer Portal is vulnerable to command injection. An attacker with a specially crafted request can run arbitrary code on the server and gain complete access to the system. IBM X-Force ID: 159123.

Type:

CWE-77

(Improper Neutralization of Special Elements used in a Command ('Command Injection'))

Vendor: IBM
Product: Api connect 
Version:
5.0.8.6
5.0.8.5
5.0.8.4
5.0.8.3
5.0.8.2
5.0.8.1
5.0.8.0
5.0.7.2
5.0.7.1
5.0.7.0
5.0.6.6
5.0.6.5
5.0.6.4
5.0.6.3
5.0.6.2
5.0.6.1
5.0.6.0
5.0.5.0
5.0.4.0
5.0.3.0
5.0.2.0
5.0.1.0
5.0.0.1
5.0.0.0

CVSS2 => (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVSS Base Score
Impact Subscore
Exploitability Subscore
10/10
10/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Complete
Complete
Complete

 References:
http://www.securityfocus.com/bid/107908
https://exchange.xforce.ibmcloud.com/vulnerabilities/159123
https://www.ibm.com/support/docview.wss?uid=ibm10880109

Related CVE
CVE-2019-4482
IBM Emptoris Spend Analysis 10.1.0 through 10.1.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disc...
CVE-2019-4437
IBM API Connect 2018.1 through 2018.4.1.6 may inadvertently leak sensitive details about internal servers and network via API swagger. IBM X-force ID: 162947.
CVE-2019-4338
IBM Security Guardium Big Data Intelligence 4.0 (SonarG) does not properly restrict the size or amount of resources that are requested or influenced by an actor. This weakness can be used to consume more resources than intended. IBM X-Force ID: 16141...
CVE-2019-4167
IBM StoredIQ 7.6.0 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 158700.
CVE-2019-4120
IBM Cloud Private 3.1.1 and 3.1.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a ...
CVE-2019-4484
IBM Emptoris Sourcing 10.1.0 through 10.1.3, IBM Contract Management 10.1.0 through 10.1.3, and IBM Emptoris Spend Analysis 10.1.0 through 10.1.3 generates an error message that includes sensitive information that could be used in further attacks aga...
CVE-2019-4483
IBM Contract Management 10.1.0 through 10.1.3 and IBM Emptoris Spend Analysis 10.1.0 through 10.1.3 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or ...
CVE-2019-4481
IBM Contract Management 10.1.0 through 10.1.3 and IBM Emptoris Spend Analysis 10.1.0 through 10.1.3 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or ...

Copyright 2019, cxsecurity.com

 

Back to Top