var-202102-0625
Vulnerability from variot

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 194882. Vendor exploits this vulnerability IBM X-Force ID: 194882 Is published as.Information is obtained and denial of service (DoS) It may be put into a state. Authentication is not required to exploit this vulnerability.The specific flaw exists within the EDataGraphImpl class. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. This product is a platform for JavaEE and Web service applications, as well as the foundation of the IBM WebSphere software platform.

There is a code problem vulnerability in IBM WebSphere Application Server, which stems from improper design or implementation problems in the code development process of network systems or products. No detailed vulnerability details are currently provided

Show details on source website


{
  "affected_products": {
    "_id": null,
    "data": [
      {
        "_id": null,
        "model": "websphere application server",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "ibm",
        "version": "8.5.0.0"
      },
      {
        "_id": null,
        "model": "websphere application server",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "ibm",
        "version": "8.5.5.20"
      },
      {
        "_id": null,
        "model": "websphere application server",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "ibm",
        "version": "8.0.0.0"
      },
      {
        "_id": null,
        "model": "websphere application server",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "ibm",
        "version": "9.0.5.7"
      },
      {
        "_id": null,
        "model": "websphere application server",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "ibm",
        "version": "7.0.0.0"
      },
      {
        "_id": null,
        "model": "websphere application server",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "ibm",
        "version": "8.0.0.15"
      },
      {
        "_id": null,
        "model": "websphere application server",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "ibm",
        "version": "9.0.0.0"
      },
      {
        "_id": null,
        "model": "websphere application server",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "ibm",
        "version": "7.0.0.45"
      },
      {
        "_id": null,
        "model": "websphere application server",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "ibm",
        "version": "7.0"
      },
      {
        "_id": null,
        "model": "websphere application server",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "ibm",
        "version": "9.0"
      },
      {
        "_id": null,
        "model": "websphere application server",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "ibm",
        "version": null
      },
      {
        "_id": null,
        "model": "websphere application server",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "ibm",
        "version": "8.5"
      },
      {
        "_id": null,
        "model": "websphere application server",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "ibm",
        "version": "8.0"
      },
      {
        "_id": null,
        "model": "websphere",
        "scope": null,
        "trust": 0.7,
        "vendor": "ibm",
        "version": null
      },
      {
        "_id": null,
        "model": "websphere application server",
        "scope": null,
        "trust": 0.6,
        "vendor": "ibm",
        "version": null
      }
    ],
    "sources": [
      {
        "db": "ZDI",
        "id": "ZDI-21-174"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2021-12641"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-003234"
      },
      {
        "db": "NVD",
        "id": "CVE-2021-20353"
      }
    ]
  },
  "credits": {
    "_id": null,
    "data": "r00t4dm at Cloud-Penetrating Arrow Lab and Longofo at Knownsec 404 Team",
    "sources": [
      {
        "db": "ZDI",
        "id": "ZDI-21-174"
      }
    ],
    "trust": 0.7
  },
  "cve": "CVE-2021-20353",
  "cvss": {
    "_id": null,
    "data": [
      {
        "cvssV2": [
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "nvd@nist.gov",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.4,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 10.0,
            "id": "CVE-2021-20353",
            "impactScore": 4.9,
            "integrityImpact": "NONE",
            "severity": "MEDIUM",
            "trust": 1.9,
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "CNVD",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.4,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 10.0,
            "id": "CNVD-2021-12641",
            "impactScore": 4.9,
            "integrityImpact": "NONE",
            "severity": "MEDIUM",
            "trust": 0.6,
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
            "version": "2.0"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "author": "psirt@us.ibm.com",
            "availabilityImpact": "LOW",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "exploitabilityScore": 3.9,
            "id": "CVE-2021-20353",
            "impactScore": 4.2,
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "trust": 1.8,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L",
            "version": "3.0"
          },
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "author": "nvd@nist.gov",
            "availabilityImpact": "LOW",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "exploitabilityScore": 3.9,
            "id": "CVE-2021-20353",
            "impactScore": 4.2,
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "trust": 1.0,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L",
            "version": "3.1"
          },
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "author": "ZDI",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "exploitabilityScore": 3.9,
            "id": "CVE-2021-20353",
            "impactScore": 3.6,
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "trust": 0.7,
            "userInteraction": "NONE",
            "vectorString": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "nvd@nist.gov",
            "id": "CVE-2021-20353",
            "trust": 1.0,
            "value": "HIGH"
          },
          {
            "author": "psirt@us.ibm.com",
            "id": "CVE-2021-20353",
            "trust": 1.0,
            "value": "HIGH"
          },
          {
            "author": "NVD",
            "id": "CVE-2021-20353",
            "trust": 0.8,
            "value": "High"
          },
          {
            "author": "ZDI",
            "id": "CVE-2021-20353",
            "trust": 0.7,
            "value": "HIGH"
          },
          {
            "author": "CNVD",
            "id": "CNVD-2021-12641",
            "trust": 0.6,
            "value": "MEDIUM"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-202102-818",
            "trust": 0.6,
            "value": "HIGH"
          },
          {
            "author": "VULMON",
            "id": "CVE-2021-20353",
            "trust": 0.1,
            "value": "MEDIUM"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "ZDI",
        "id": "ZDI-21-174"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2021-12641"
      },
      {
        "db": "VULMON",
        "id": "CVE-2021-20353"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-003234"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202102-818"
      },
      {
        "db": "NVD",
        "id": "CVE-2021-20353"
      },
      {
        "db": "NVD",
        "id": "CVE-2021-20353"
      }
    ]
  },
  "description": {
    "_id": null,
    "data": "IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 194882. Vendor exploits this vulnerability IBM X-Force ID: 194882 Is published as.Information is obtained and denial of service (DoS) It may be put into a state. Authentication is not required to exploit this vulnerability.The specific flaw exists within the EDataGraphImpl class. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. This product is a platform for JavaEE and Web service applications, as well as the foundation of the IBM WebSphere software platform. \n\r\n\r\nThere is a code problem vulnerability in IBM WebSphere Application Server, which stems from improper design or implementation problems in the code development process of network systems or products. No detailed vulnerability details are currently provided",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2021-20353"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-003234"
      },
      {
        "db": "ZDI",
        "id": "ZDI-21-174"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2021-12641"
      },
      {
        "db": "VULMON",
        "id": "CVE-2021-20353"
      }
    ],
    "trust": 2.88
  },
  "external_ids": {
    "_id": null,
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2021-20353",
        "trust": 3.8
      },
      {
        "db": "ZDI",
        "id": "ZDI-21-174",
        "trust": 2.4
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-003234",
        "trust": 0.8
      },
      {
        "db": "ZDI_CAN",
        "id": "ZDI-CAN-12478",
        "trust": 0.7
      },
      {
        "db": "CNVD",
        "id": "CNVD-2021-12641",
        "trust": 0.6
      },
      {
        "db": "AUSCERT",
        "id": "ESB-2021.0500",
        "trust": 0.6
      },
      {
        "db": "AUSCERT",
        "id": "ESB-2021.0604",
        "trust": 0.6
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202102-818",
        "trust": 0.6
      },
      {
        "db": "VULMON",
        "id": "CVE-2021-20353",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "ZDI",
        "id": "ZDI-21-174"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2021-12641"
      },
      {
        "db": "VULMON",
        "id": "CVE-2021-20353"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-003234"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202102-818"
      },
      {
        "db": "NVD",
        "id": "CVE-2021-20353"
      }
    ]
  },
  "id": "VAR-202102-0625",
  "iot": {
    "_id": null,
    "data": true,
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2021-12641"
      }
    ],
    "trust": 0.06
  },
  "iot_taxonomy": {
    "_id": null,
    "data": [
      {
        "category": [
          "Network device"
        ],
        "sub_category": null,
        "trust": 0.6
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2021-12641"
      }
    ]
  },
  "last_update_date": "2024-11-23T21:51:02.877000Z",
  "patch": {
    "_id": null,
    "data": [
      {
        "title": "6413709 IBM\u00a0X-Force\u00a0Exchange",
        "trust": 1.5,
        "url": "https://www.ibm.com/support/pages/node/6413709"
      },
      {
        "title": "Patch for IBM WebSphere Application Server code issue vulnerability (CNVD-2021-12641)",
        "trust": 0.6,
        "url": "https://www.cnvd.org.cn/patchInfo/show/249176"
      },
      {
        "title": "IBM: Security Bulletin: Embedded WebSphere Application Server  is vulnerable to an XML External Entity (XXE) Injection vulnerability affects Content Collector for Email",
        "trust": 0.1,
        "url": "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog\u0026qid=0b3149fa33d2f3116cd22786008cb68c"
      },
      {
        "title": "IBM: Security Bulletin:  Multiple vulnerabilities affect IBM Tivoli Monitoring installed WebSphere Application Server",
        "trust": 0.1,
        "url": "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog\u0026qid=4305f48370e86ab4dffc49951e127055"
      }
    ],
    "sources": [
      {
        "db": "ZDI",
        "id": "ZDI-21-174"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2021-12641"
      },
      {
        "db": "VULMON",
        "id": "CVE-2021-20353"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-003234"
      }
    ]
  },
  "problemtype_data": {
    "_id": null,
    "data": [
      {
        "problemtype": "CWE-611",
        "trust": 1.0
      },
      {
        "problemtype": "XML Improper restrictions on external entity references (CWE-611) [NVD Evaluation ]",
        "trust": 0.8
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-003234"
      },
      {
        "db": "NVD",
        "id": "CVE-2021-20353"
      }
    ]
  },
  "references": {
    "_id": null,
    "data": [
      {
        "trust": 2.4,
        "url": "https://www.ibm.com/support/pages/node/6413709"
      },
      {
        "trust": 2.4,
        "url": "https://www.zerodayinitiative.com/advisories/zdi-21-174/"
      },
      {
        "trust": 2.3,
        "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/194882"
      },
      {
        "trust": 0.8,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2021-20353"
      },
      {
        "trust": 0.6,
        "url": "https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-privileged-identity-manager-is-affected-by-xml-external-entity-xxe-injection-vulnerability-vulnerability-in-websphere-application-server-cve-2021-20353/"
      },
      {
        "trust": 0.6,
        "url": "https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-server-is-vulnerable-to-an-xml-external-entity-xxe-injection-vulnerability-cve-2021-20353/"
      },
      {
        "trust": 0.6,
        "url": "https://vigilance.fr/vulnerability/websphere-as-external-xml-entity-injection-34536"
      },
      {
        "trust": 0.6,
        "url": "https://www.auscert.org.au/bulletins/esb-2021.0500"
      },
      {
        "trust": 0.6,
        "url": "https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-affect-ibm-tivoli-monitoring-installed-websphere-application-server/"
      },
      {
        "trust": 0.6,
        "url": "https://www.auscert.org.au/bulletins/esb-2021.0604"
      },
      {
        "trust": 0.1,
        "url": "https://cwe.mitre.org/data/definitions/611.html"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov"
      },
      {
        "trust": 0.1,
        "url": "https://www.ibm.com/blogs/psirt/security-bulletin-embedded-websphere-application-server-is-vulnerable-to-an-xml-external-entity-xxe-injection-vulnerability-affects-content-collector-for-email/"
      }
    ],
    "sources": [
      {
        "db": "ZDI",
        "id": "ZDI-21-174"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2021-12641"
      },
      {
        "db": "VULMON",
        "id": "CVE-2021-20353"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-003234"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202102-818"
      },
      {
        "db": "NVD",
        "id": "CVE-2021-20353"
      }
    ]
  },
  "sources": {
    "_id": null,
    "data": [
      {
        "db": "ZDI",
        "id": "ZDI-21-174",
        "ident": null
      },
      {
        "db": "CNVD",
        "id": "CNVD-2021-12641",
        "ident": null
      },
      {
        "db": "VULMON",
        "id": "CVE-2021-20353",
        "ident": null
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-003234",
        "ident": null
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202102-818",
        "ident": null
      },
      {
        "db": "NVD",
        "id": "CVE-2021-20353",
        "ident": null
      }
    ]
  },
  "sources_release_date": {
    "_id": null,
    "data": [
      {
        "date": "2021-02-10T00:00:00",
        "db": "ZDI",
        "id": "ZDI-21-174",
        "ident": null
      },
      {
        "date": "2021-02-25T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2021-12641",
        "ident": null
      },
      {
        "date": "2021-02-10T00:00:00",
        "db": "VULMON",
        "id": "CVE-2021-20353",
        "ident": null
      },
      {
        "date": "2021-10-20T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2021-003234",
        "ident": null
      },
      {
        "date": "2021-02-09T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202102-818",
        "ident": null
      },
      {
        "date": "2021-02-10T17:15:22.333000",
        "db": "NVD",
        "id": "CVE-2021-20353",
        "ident": null
      }
    ]
  },
  "sources_update_date": {
    "_id": null,
    "data": [
      {
        "date": "2021-02-10T00:00:00",
        "db": "ZDI",
        "id": "ZDI-21-174",
        "ident": null
      },
      {
        "date": "2021-02-26T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2021-12641",
        "ident": null
      },
      {
        "date": "2021-02-11T00:00:00",
        "db": "VULMON",
        "id": "CVE-2021-20353",
        "ident": null
      },
      {
        "date": "2021-10-20T09:06:00",
        "db": "JVNDB",
        "id": "JVNDB-2021-003234",
        "ident": null
      },
      {
        "date": "2021-08-05T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202102-818",
        "ident": null
      },
      {
        "date": "2024-11-21T05:46:27.020000",
        "db": "NVD",
        "id": "CVE-2021-20353",
        "ident": null
      }
    ]
  },
  "threat_type": {
    "_id": null,
    "data": "remote",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202102-818"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "_id": null,
    "data": "IBM\u00a0WebSphere\u00a0Application\u00a0Server\u00a0 In \u00a0XML\u00a0 External entity vulnerabilities",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-003234"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "_id": null,
    "data": "code problem",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202102-818"
      }
    ],
    "trust": 0.6
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.