CVE-2022-22489XML External Entity (XXE) Injection in IBM MQ

CWE-611XML External Entity (XXE) Injection3 documents3 sources
Severity
9.1CRITICALNVD
EPSS
0.6%
top 30.33%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
IBM MQ
Timeline
PublishedAug 19
Latest updateAug 20

Description

IBM MQ 8.0, (9.0, 9.1, 9.2 LTS), and (9.1 and 9.2 CD) are vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 226339.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:HExploitability: 3.9 | Impact: 5.2

Affected Packages2 packages

CVEListV5ibm/mq5 versions+4
NVDibm/mq5 versions+4

Patches

Patch: www.ibm.comPatch: www.ibm.com

🔴Vulnerability Details

2
GHSA
GHSA-4f9w-3c78-j5r7: IBM MQ 82022-08-20
CVEList
CVE-2022-22489: IBM MQ 82022-08-19
CVE-2022-22489 — XML External Entity (XXE) Injection | cvebase