Main Vulnerability Database SB2020012835

SB2020012835 - XML External Entity injection in IBM Security Access Manager

Published: January 28, 2020 Updated: August 8, 2020

Security Bulletin ID SB2020012835

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) XML External Entity injection (CVE-ID: CVE-2019-4707)

The vulnerability allows a remote authenticated user to #BASIC_IMPACT#.

IBM Security Access Manager Appliance 9.0.7.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 172018.

Remediation

Install update from vendor's website.

References

https://exchange.xforce.ibmcloud.com/vulnerabilities/172018
https://www.ibm.com/support/pages/node/1284034