CVE-2022-43859 — SQL Injection in IBM Navigator FOR I

CWE-89 — SQL Injection CWE-502 — Deserialization of Untrusted Data9 documents7 sources

Severity

4.3MEDIUMNVD

CNA6.3GHSA7.5

EPSS

0.1%

top 75.73%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

IBM Navigator FOR I IBM I

Timeline

PublishedDec 22

Description

IBM Navigator for i 7.3, 7.4, and 7.5 could allow an authenticated user to obtain sensitive information for an object they are authorized to but not while using this interface. By performing a UNION based SQL injection an attacker could see file permissions through this interface. IBM X-Force ID: 239304.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

▶CVEListV5ibm/navigator_for_i7.3, 7.4, 7.5

▶NVDibm/i7.3, 7.4, 7.5+2

Patches

Patch: www.ibm.com ↗Patch: www.ibm.com ↗

🔴Vulnerability Details

GHSA

GHSA-ppqf-24vq-48jf: IBM Navigator for i 7↗2022-12-22

▶

CVEList

IBM Navigator for i SQL injection↗2022-12-22

▶

GHSA

DoS vulnerability in bundled XStream library in Jenkins Core↗2022-02-10

▶

📋Vendor Advisories

Oracle

Oracle Oracle Fusion Middleware Risk Matrix: General (XStream) — CVE-2021-43859↗2022-10-15

▶

Oracle

Oracle Oracle Communications Applications Risk Matrix: EM Gateway (XStream) — CVE-2021-43859↗2022-07-15

▶

Oracle

Oracle Oracle Communications Risk Matrix: Visualization, Database (XStream) — CVE-2021-43859↗2022-04-15

▶

Red Hat

jenkins: DoS vulnerability in bundled XStream library↗2022-02-09

▶