cnvd - cnvd-2020-74621

cnvd-2020-74621

Vulnerability from cnvd

Title: 多款IBM产品授权问题漏洞

Description:

IBM Business Process Manager（BPM）等都是美国IBM公司的产品。IBM Business Process Manager是一套综合的业务流程管理平台。IBM Business Automation Workflow是一套工作流程自动化解决方案。IBM Process Federation Server Component是一个IBM BPM环境的可选组件。

IBM Automation Workstream Services 19.0.3、20.0.1、20.0.2版本，IBM Business Automation Workflow 18.0、19.0、20.0版本和IBM Business Process Manager 8.6版本存在授权问题漏洞。经过身份认证的攻击者可利用该漏洞获取敏感信息或导致拒绝服务。

Severity: 中

Patch Name: 多款IBM产品授权问题漏洞的补丁

Patch Description:

Formal description:

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://www.ibm.com/support/pages/node/6359463

Reference: https://nvd.nist.gov/vuln/detail/CVE-2020-4794

Impacted products

Name
['IBM Business Automation Workflow 18.0', 'IBM Business Automation Workflow 19.0', 'IBM Business Automation Workflow 20.0', 'IBM Business Process Manager 8.6', 'IBM Automation Workstream Services 19.0.3', 'IBM Automation Workstream Services 20.0.1', 'IBM Automation Workstream Services 20.0.2']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-4794",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2020-4794"
    }
  },
  "description": "IBM Business Process Manager\uff08BPM\uff09\u7b49\u90fd\u662f\u7f8e\u56fdIBM\u516c\u53f8\u7684\u4ea7\u54c1\u3002IBM Business Process Manager\u662f\u4e00\u5957\u7efc\u5408\u7684\u4e1a\u52a1\u6d41\u7a0b\u7ba1\u7406\u5e73\u53f0\u3002IBM Business Automation Workflow\u662f\u4e00\u5957\u5de5\u4f5c\u6d41\u7a0b\u81ea\u52a8\u5316\u89e3\u51b3\u65b9\u6848\u3002IBM Process Federation Server Component\u662f\u4e00\u4e2aIBM BPM\u73af\u5883\u7684\u53ef\u9009\u7ec4\u4ef6\u3002\n\nIBM Automation Workstream Services 19.0.3\u300120.0.1\u300120.0.2\u7248\u672c\uff0cIBM Business Automation Workflow 18.0\u300119.0\u300120.0\u7248\u672c\u548cIBM Business Process Manager 8.6\u7248\u672c\u5b58\u5728\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\u3002\u7ecf\u8fc7\u8eab\u4efd\u8ba4\u8bc1\u7684\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u654f\u611f\u4fe1\u606f\u6216\u5bfc\u81f4\u62d2\u7edd\u670d\u52a1\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://www.ibm.com/support/pages/node/6359463",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-74621",
  "openTime": "2020-12-28",
  "patchDescription": "IBM Business Process Manager\uff08BPM\uff09\u7b49\u90fd\u662f\u7f8e\u56fdIBM\u516c\u53f8\u7684\u4ea7\u54c1\u3002IBM Business Process Manager\u662f\u4e00\u5957\u7efc\u5408\u7684\u4e1a\u52a1\u6d41\u7a0b\u7ba1\u7406\u5e73\u53f0\u3002IBM Business Automation Workflow\u662f\u4e00\u5957\u5de5\u4f5c\u6d41\u7a0b\u81ea\u52a8\u5316\u89e3\u51b3\u65b9\u6848\u3002IBM Process Federation Server Component\u662f\u4e00\u4e2aIBM BPM\u73af\u5883\u7684\u53ef\u9009\u7ec4\u4ef6\u3002\r\n\r\nIBM Automation Workstream Services 19.0.3\u300120.0.1\u300120.0.2\u7248\u672c\uff0cIBM Business Automation Workflow 18.0\u300119.0\u300120.0\u7248\u672c\u548cIBM Business Process Manager 8.6\u7248\u672c\u5b58\u5728\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\u3002\u7ecf\u8fc7\u8eab\u4efd\u8ba4\u8bc1\u7684\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u654f\u611f\u4fe1\u606f\u6216\u5bfc\u81f4\u62d2\u7edd\u670d\u52a1\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "\u591a\u6b3eIBM\u4ea7\u54c1\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "IBM Business Automation Workflow 18.0",
      "IBM Business Automation Workflow 19.0",
      "IBM Business Automation Workflow 20.0",
      "IBM Business Process Manager 8.6",
      "IBM Automation Workstream Services 19.0.3",
      "IBM Automation Workstream Services 20.0.1",
      "IBM Automation Workstream Services 20.0.2"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2020-4794",
  "serverity": "\u4e2d",
  "submitTime": "2020-12-23",
  "title": "\u591a\u6b3eIBM\u4ea7\u54c1\u6388\u6743\u95ee\u9898\u6f0f\u6d1e"
}

CVE-2020-4794 (GCVE-0-2020-4794)

Vulnerability from cvelistv5

Published

2020-12-21 17:50

Modified

2024-09-16 18:43

Severity ?

5.4 (Medium) - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L/E:U/RL:O/RC:C

CWE

Denial of Service

Summary

IBM Automation Workstream Services 19.0.3, 20.0.1, 20.0.2, IBM Business Automation Workflow 18.0, 19.0, and 20.0 and IBM Business Process Manager 8.6 could allow an authenticated user to obtain sensitive information or cuase a denial of service due to iimproper authorization checking. IBM X-Force ID: 189445.

References

▼	URL	Tags
	https://www.ibm.com/support/pages/node/6359463	x_refsource_CONFIRM
	https://exchange.xforce.ibmcloud.com/vulnerabilities/189445	vdb-entry, x_refsource_XF

Impacted products

Vendor

Product

Version

▼

IBM

Automation Workstream Services

Version: 19.0.3
Version: 20.0.1
Version: 20.0.2

	IBM	Business Process Manager	Version: 8.6
	IBM	Business Automation Workflow	Version: 19.0 Version: 20.0 Version: 18.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T08:14:58.550Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.ibm.com/support/pages/node/6359463"
          },
          {
            "name": "ibm-icp4a-cve20204794-input-validation (189445)",
            "tags": [
              "vdb-entry",
              "x_refsource_XF",
              "x_transferred"
            ],
            "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/189445"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Automation Workstream Services",
          "vendor": "IBM",
          "versions": [
            {
              "status": "affected",
              "version": "19.0.3"
            },
            {
              "status": "affected",
              "version": "20.0.1"
            },
            {
              "status": "affected",
              "version": "20.0.2"
            }
          ]
        },
        {
          "product": "Business Process Manager",
          "vendor": "IBM",
          "versions": [
            {
              "status": "affected",
              "version": "8.6"
            }
          ]
        },
        {
          "product": "Business Automation Workflow",
          "vendor": "IBM",
          "versions": [
            {
              "status": "affected",
              "version": "19.0"
            },
            {
              "status": "affected",
              "version": "20.0"
            },
            {
              "status": "affected",
              "version": "18.0"
            }
          ]
        }
      ],
      "datePublic": "2020-12-18T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "IBM Automation Workstream Services 19.0.3, 20.0.1, 20.0.2, IBM Business Automation Workflow 18.0, 19.0, and 20.0 and IBM Business Process Manager 8.6 could allow an authenticated user to obtain sensitive information or cuase a denial of service due to iimproper authorization checking. IBM X-Force ID: 189445."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "exploitCodeMaturity": "UNPROVEN",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "remediationLevel": "OFFICIAL_FIX",
            "reportConfidence": "CONFIRMED",
            "scope": "UNCHANGED",
            "temporalScore": 4.7,
            "temporalSeverity": "MEDIUM",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/A:L/I:N/C:L/AC:L/PR:L/S:U/AV:N/UI:N/RC:C/E:U/RL:O",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Denial of Service",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-12-21T17:50:30",
        "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "shortName": "ibm"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.ibm.com/support/pages/node/6359463"
        },
        {
          "name": "ibm-icp4a-cve20204794-input-validation (189445)",
          "tags": [
            "vdb-entry",
            "x_refsource_XF"
          ],
          "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/189445"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@us.ibm.com",
          "DATE_PUBLIC": "2020-12-18T00:00:00",
          "ID": "CVE-2020-4794",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Automation Workstream Services",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "19.0.3"
                          },
                          {
                            "version_value": "20.0.1"
                          },
                          {
                            "version_value": "20.0.2"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "Business Process Manager",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "8.6"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "Business Automation Workflow",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "19.0"
                          },
                          {
                            "version_value": "20.0"
                          },
                          {
                            "version_value": "18.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "IBM"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "IBM Automation Workstream Services 19.0.3, 20.0.1, 20.0.2, IBM Business Automation Workflow 18.0, 19.0, and 20.0 and IBM Business Process Manager 8.6 could allow an authenticated user to obtain sensitive information or cuase a denial of service due to iimproper authorization checking. IBM X-Force ID: 189445."
            }
          ]
        },
        "impact": {
          "cvssv3": {
            "BM": {
              "A": "L",
              "AC": "L",
              "AV": "N",
              "C": "L",
              "I": "N",
              "PR": "L",
              "S": "U",
              "UI": "N"
            },
            "TM": {
              "E": "U",
              "RC": "C",
              "RL": "O"
            }
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Denial of Service"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.ibm.com/support/pages/node/6359463",
              "refsource": "CONFIRM",
              "title": "IBM Security Bulletin 6359463 (Automation Workstream Services)",
              "url": "https://www.ibm.com/support/pages/node/6359463"
            },
            {
              "name": "ibm-icp4a-cve20204794-input-validation (189445)",
              "refsource": "XF",
              "title": "X-Force Vulnerability Report",
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/189445"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
    "assignerShortName": "ibm",
    "cveId": "CVE-2020-4794",
    "datePublished": "2020-12-21T17:50:30.680303Z",
    "dateReserved": "2019-12-30T00:00:00",
    "dateUpdated": "2024-09-16T18:43:25.778Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted