SB2023071416 - Multiple vulnerabilities in IBM Engineering Systems Design Rhapsody 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2023071416

SB2023071416 - Multiple vulnerabilities in IBM Engineering Systems Design Rhapsody

Published: July 14, 2023

Security Bulletin ID SB2023071416
Severity
Medium
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Information disclosure

Breakdown by Severity

Medium 33% Low 67%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 secuirty vulnerabilities.


1) Input validation error (CVE-ID: CVE-2015-0250)

The vulnerability allows remote attackers to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can read arbitrary files or cause a denial of service via a crafted SVG file.


2) Deserialization of untrusted data (CVE-ID: CVE-2018-8013)

The vulnerability allows a remote attacker to obtain potentially sensitive information.

The vulnerability exists due to insufficient validation of user-supplied data. A remote attacker can supply specially crafted data, trigger a deserialization error in a subclass of 'AbstractDocuent' and access potentially sensitive information.


3) XXE attack (CVE-ID: CVE-2017-5662)

The vulnerability allows a remote unauthenticated attacker to conduct XXE-attack on the target system.

The weakness exists due to improper restriction of XML external entity references. A remote attacker can supply specially crafted xml document to gain access to arbitrary files or conduct amplification attack to cause the service to crash.

Remediation

Install update from vendor's website.

References