CVE-2020-4719

The IBM Cloud APM 8.1.4 server will issue a DNS request to resolve any hostname specified in the Cloud Event Management Webhook URL configuration definition. This could enable an authenticated user with admin authorization to create DNS query strings that are not hostnames. IBM X-Force ID: 187861.

CVSS v3 4.9 MEDIUM
CVSS v2.0 4.0 MEDIUM

4.9^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

4.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:N/I:P/A:N

Exploitability : 8.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://exchange.xforce.ibmcloud.com/vulnerabilities/187861	VDB Entry Vendor Advisory
https://www.ibm.com/support/pages/node/6417137	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:ibm:cloud_application_performance_management:8.1.4:::::advanced_private::
	cpe:2.3:a:ibm:cloud_application_performance_management:8.1.4:::::base_private::

History

No history.

Information

Published : 2021-03-02 17:15

Updated : 2021-03-09 13:55

NVD link : CVE-2020-4719

Mitre link : CVE-2020-4719

CVE.ORG link : CVE-2020-4719

JSON object : View

Products Affected

ibm

cloud_application_performance_management

CWE

CWE-706

Use of Incorrectly-Resolved Name or Reference

{"id": "CVE-2020-4719", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Secondary", "source": "psirt@us.ibm.com", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 4.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.2}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.2}]}, "published": "2021-03-02T17:15:13.367", "references": [{"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/187861", "tags": ["VDB Entry", "Vendor Advisory"], "source": "psirt@us.ibm.com"}, {"url": "https://www.ibm.com/support/pages/node/6417137", "tags": ["Patch", "Vendor Advisory"], "source": "psirt@us.ibm.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-706"}]}], "descriptions": [{"lang": "en", "value": "The IBM Cloud APM 8.1.4 server will issue a DNS request to resolve any hostname specified in the Cloud Event Management Webhook URL configuration definition. This could enable an authenticated user with admin authorization to create DNS query strings that are not hostnames. IBM X-Force ID: 187861."}, {"lang": "es", "value": "El servidor IBM Cloud APM versi\u00f3n 8.1.4, emitir\u00e1 una petici\u00f3n de DNS para resolver cualquier nombre de host especificado en la definici\u00f3n de configuraci\u00f3n de URL de Cloud Event Management Webhook. Esto podr\u00eda permitir a un usuario autenticado con autorizaci\u00f3n de administrador crear cadenas de consulta DNS que no son nombres de host. IBM X-Force ID: 187861"}], "lastModified": "2021-03-09T13:55:03.093", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ibm:cloud_application_performance_management:8.1.4:*:*:*:*:advanced_private:*:*", "vulnerable": true, "matchCriteriaId": "0A5248E8-DFED-4AF9-BC48-00E1C4983E58"}, {"criteria": "cpe:2.3:a:ibm:cloud_application_performance_management:8.1.4:*:*:*:*:base_private:*:*", "vulnerable": true, "matchCriteriaId": "609A150D-15E8-49E9-9B8E-EA463C872091"}], "operator": "OR"}]}], "sourceIdentifier": "psirt@us.ibm.com"}