CVE-2020-4949XML External Entity (XXE) Injection in IBM Websphere Application Server

CWE-611XML External Entity (XXE) Injection3 documents3 sources
Severity
8.2HIGHNVD
EPSS
0.2%
top 61.76%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
IBM Websphere Application Server
Timeline
PublishedJan 26
Latest updateMay 24

Description

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 192025.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:LExploitability: 3.9 | Impact: 4.2

Affected Packages2 packages

NVDibm/websphere_application_server7.0.0.07.0.0.45+3
CVEListV5ibm/websphere_application_server4 versions+3

Patches

Patch: www.ibm.comPatch: www.ibm.com

🔴Vulnerability Details

2
GHSA
GHSA-3mmx-qqmq-rm69: IBM WebSphere Application Server 72022-05-24
CVEList
CVE-2020-4949: IBM WebSphere Application Server 72021-01-26
CVE-2020-4949 — XML External Entity (XXE) Injection | cvebase