CVE-2019-4424XML External Entity (XXE) Injection in IBM Business Automation Workflow

CWE-611XML External Entity (XXE) Injection3 documents3 sources
Severity
8.2HIGHNVD
EPSS
0.4%
top 41.12%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
IBM Business Automation WorkflowIBM Business Process Manager
Timeline
PublishedAug 20
Latest updateMay 24

Description

IBM Business Automation Workflow 18.0.0.0, 18.0.0.1, 18.0.0.2, 19.0.0.1, and 19.0.0.2 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 162770.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:LExploitability: 3.9 | Impact: 4.2

Affected Packages3 packages

NVDibm/business_automation_workflow18.0.0.019.0.0.2
CVEListV5ibm/business_automation_workflow5 versions+4
NVDibm/business_process_manager7.5.0.07.5.1.2+6

🔴Vulnerability Details

2
GHSA
GHSA-pgcf-289q-wwmj: IBM Business Automation Workflow 182022-05-24
CVEList
CVE-2019-4424: IBM Business Automation Workflow 182019-08-20
CVE-2019-4424 — XML External Entity (XXE) Injection | cvebase