Vulnerability CVE-2019-4202


Published: 2019-04-15

Description:
IBM API Connect 5.0.0.0 and 5.0.8.6 Developer Portal is vulnerable to command injection. An attacker with a specially crafted request can run arbitrary code on the server and gain complete access to the system. IBM X-Force ID: 159123.

Type:

CWE-77

(Improper Neutralization of Special Elements used in a Command ('Command Injection'))

Vendor: IBM
Product: Api connect 
Version:
5.0.8.6
5.0.8.5
5.0.8.4
5.0.8.3
5.0.8.2
5.0.8.1
5.0.8.0
5.0.7.2
5.0.7.1
5.0.7.0
5.0.6.6
5.0.6.5
5.0.6.4
5.0.6.3
5.0.6.2
5.0.6.1
5.0.6.0
5.0.5.0
5.0.4.0
5.0.3.0
5.0.2.0
5.0.1.0
5.0.0.1
5.0.0.0

CVSS2 => (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVSS Base Score
Impact Subscore
Exploitability Subscore
10/10
10/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Complete
Complete
Complete

 References:
http://www.securityfocus.com/bid/107908
https://exchange.xforce.ibmcloud.com/vulnerabilities/159123
https://www.ibm.com/support/docview.wss?uid=ibm10880109

Related CVE
CVE-2018-1729
IBM QRadar SIEM 7.3 discloses sensitive information to unauthorized users. The information can be used to mount further attacks on the system. IBM X-Force ID: 147708.
CVE-2019-4203
IBM API Connect 5.0.0.0 and 5.0.8.6 Developer Portal can be exploited by app developers to download arbitrary files from the host OS and potentially carry out SSRF attacks. IBM X-Force ID: 159124.
CVE-2019-4178
IBM Cognos Analytics 11 could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request to write or view arbitrary files on the system. IBM X-Force ID: 158919.
CVE-2019-4012
IBM BigFix WebUI Profile Management 6 and Software Distribution 23 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-en...
CVE-2018-1925
IBM WebShere MQ 9.1.0.0, 9.1.0.1, 9.1.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 152925.
CVE-2019-4013
IBM BigFix Platform 9.5 could allow any authenticated user to upload any file to any location on the server with root privileges. This results in code execution on underlying system with root privileges. IBM X-Force ID: 155887.
CVE-2018-1994
IBM InfoSphere Information Server 11.5 and 11.7 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-F...
CVE-2018-1903
IBM Sterling Connect:Direct for UNIX 4.2.0, 4.3.0, and 6.0.0 could allow a user with restricted sudo access on a system to manipulate CD UNIX to gain full sudo access. IBM X-Force ID: 152532.

Copyright 2019, cxsecurity.com

 

Back to Top