Details of VAR-202102-0625

ID

VAR-202102-0625

CVE

CVE-2021-20353

TITLE

IBM WebSphere Application Server In XML External entity vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2021-003234

DESCRIPTION

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 194882. Vendor exploits this vulnerability IBM X-Force ID: 194882 Is published as.Information is obtained and denial of service (DoS) It may be put into a state. Authentication is not required to exploit this vulnerability.The specific flaw exists within the EDataGraphImpl class. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. This product is a platform for JavaEE and Web service applications, as well as the foundation of the IBM WebSphere software platform. There is a code problem vulnerability in IBM WebSphere Application Server, which stems from improper design or implementation problems in the code development process of network systems or products. No detailed vulnerability details are currently provided

Trust: 2.88

sources: NVD: CVE-2021-20353 // JVNDB: JVNDB-2021-003234 // ZDI: ZDI-21-174 // CNVD: CNVD-2021-12641 // VULMON: CVE-2021-20353

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2021-12641

AFFECTED PRODUCTS

vendor:	ibm	model:	websphere application server	scope:	gte	version:	8.0.0.0	Trust: 1.0
vendor:	ibm	model:	websphere application server	scope:	lt	version:	8.5.5.20	Trust: 1.0
vendor:	ibm	model:	websphere application server	scope:	lt	version:	7.0.0.45	Trust: 1.0
vendor:	ibm	model:	websphere application server	scope:	gte	version:	9.0.0.0	Trust: 1.0
vendor:	ibm	model:	websphere application server	scope:	gte	version:	7.0.0.0	Trust: 1.0
vendor:	ibm	model:	websphere application server	scope:	gte	version:	8.5.0.0	Trust: 1.0
vendor:	ibm	model:	websphere application server	scope:	lt	version:	9.0.5.7	Trust: 1.0
vendor:	ibm	model:	websphere application server	scope:	lt	version:	8.0.0.15	Trust: 1.0
vendor:	ibm	model:	websphere application server	scope:	eq	version:	7.0	Trust: 0.8
vendor:	ibm	model:	websphere application server	scope:	eq	version:	9.0	Trust: 0.8
vendor:	ibm	model:	websphere application server	scope:	eq	version:	-	Trust: 0.8
vendor:	ibm	model:	websphere application server	scope:	eq	version:	8.5	Trust: 0.8
vendor:	ibm	model:	websphere application server	scope:	eq	version:	8.0	Trust: 0.8
vendor:	ibm	model:	websphere	scope:	-	version:	-	Trust: 0.7
vendor:	ibm	model:	websphere application server	scope:	-	version:	-	Trust: 0.6

sources: ZDI: ZDI-21-174 // CNVD: CNVD-2021-12641 // JVNDB: JVNDB-2021-003234 // NVD: CVE-2021-20353

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-20353
value:	HIGH
Trust: 1.0
psirt@us.ibm.com:	CVE-2021-20353
value:	HIGH
Trust: 1.0
NVD:	CVE-2021-20353
value:	HIGH
Trust: 0.8
ZDI:	CVE-2021-20353
value:	HIGH
Trust: 0.7
CNVD:	CNVD-2021-12641
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202102-818
value:	HIGH
Trust: 0.6
VULMON:	CVE-2021-20353
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2021-20353
severity:	MEDIUM
baseScore:	6.4
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2021-12641
severity:	MEDIUM
baseScore:	6.4
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

psirt@us.ibm.com:	CVE-2021-20353
baseSeverity:	HIGH
baseScore:	8.2
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	LOW
exploitabilityScore:	3.9
impactScore:	4.2
version:	3.0
Trust: 1.8
nvd@nist.gov:	CVE-2021-20353
baseSeverity:	HIGH
baseScore:	8.2
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	LOW
exploitabilityScore:	3.9
impactScore:	4.2
version:	3.1
Trust: 1.0
ZDI:	CVE-2021-20353
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.0
Trust: 0.7

sources: ZDI: ZDI-21-174 // CNVD: CNVD-2021-12641 // VULMON: CVE-2021-20353 // JVNDB: JVNDB-2021-003234 // CNNVD: CNNVD-202102-818 // NVD: CVE-2021-20353 // NVD: CVE-2021-20353

PROBLEMTYPE DATA

problemtype:	CWE-611	Trust: 1.0
problemtype:	XML Improper restrictions on external entity references (CWE-611) [NVD Evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2021-003234 // NVD: CVE-2021-20353

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202102-818

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-202102-818

PATCH

title:	6413709 IBM X-Force Exchange	url:	https://www.ibm.com/support/pages/node/6413709	Trust: 1.5
title:	Patch for IBM WebSphere Application Server code issue vulnerability (CNVD-2021-12641)	url:	https://www.cnvd.org.cn/patchInfo/show/249176	Trust: 0.6
title:	IBM: Security Bulletin: Embedded WebSphere Application Server is vulnerable to an XML External Entity (XXE) Injection vulnerability affects Content Collector for Email	url:	https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=0b3149fa33d2f3116cd22786008cb68c	Trust: 0.1
title:	IBM: Security Bulletin: Multiple vulnerabilities affect IBM Tivoli Monitoring installed WebSphere Application Server	url:	https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=4305f48370e86ab4dffc49951e127055	Trust: 0.1

sources: ZDI: ZDI-21-174 // CNVD: CNVD-2021-12641 // VULMON: CVE-2021-20353 // JVNDB: JVNDB-2021-003234

EXTERNAL IDS

db:	NVD	id:	CVE-2021-20353	Trust: 3.8
db:	ZDI	id:	ZDI-21-174	Trust: 2.4
db:	JVNDB	id:	JVNDB-2021-003234	Trust: 0.8
db:	ZDI_CAN	id:	ZDI-CAN-12478	Trust: 0.7
db:	CNVD	id:	CNVD-2021-12641	Trust: 0.6
db:	AUSCERT	id:	ESB-2021.0500	Trust: 0.6
db:	AUSCERT	id:	ESB-2021.0604	Trust: 0.6
db:	CNNVD	id:	CNNVD-202102-818	Trust: 0.6
db:	VULMON	id:	CVE-2021-20353	Trust: 0.1

sources: ZDI: ZDI-21-174 // CNVD: CNVD-2021-12641 // VULMON: CVE-2021-20353 // JVNDB: JVNDB-2021-003234 // CNNVD: CNNVD-202102-818 // NVD: CVE-2021-20353

REFERENCES

url:	https://www.ibm.com/support/pages/node/6413709	Trust: 2.4
url:	https://www.zerodayinitiative.com/advisories/zdi-21-174/	Trust: 2.4
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/194882	Trust: 2.3
url:	https://nvd.nist.gov/vuln/detail/cve-2021-20353	Trust: 0.8
url:	https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-privileged-identity-manager-is-affected-by-xml-external-entity-xxe-injection-vulnerability-vulnerability-in-websphere-application-server-cve-2021-20353/	Trust: 0.6
url:	https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-server-is-vulnerable-to-an-xml-external-entity-xxe-injection-vulnerability-cve-2021-20353/	Trust: 0.6
url:	https://vigilance.fr/vulnerability/websphere-as-external-xml-entity-injection-34536	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2021.0500	Trust: 0.6
url:	https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-affect-ibm-tivoli-monitoring-installed-websphere-application-server/	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2021.0604	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/611.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://www.ibm.com/blogs/psirt/security-bulletin-embedded-websphere-application-server-is-vulnerable-to-an-xml-external-entity-xxe-injection-vulnerability-affects-content-collector-for-email/	Trust: 0.1

sources: ZDI: ZDI-21-174 // CNVD: CNVD-2021-12641 // VULMON: CVE-2021-20353 // JVNDB: JVNDB-2021-003234 // CNNVD: CNNVD-202102-818 // NVD: CVE-2021-20353

CREDITS

r00t4dm at Cloud-Penetrating Arrow Lab and Longofo at Knownsec 404 Team

Trust: 0.7

sources: ZDI: ZDI-21-174

SOURCES

db:	ZDI	id:	ZDI-21-174
db:	CNVD	id:	CNVD-2021-12641
db:	VULMON	id:	CVE-2021-20353
db:	JVNDB	id:	JVNDB-2021-003234
db:	CNNVD	id:	CNNVD-202102-818
db:	NVD	id:	CVE-2021-20353

LAST UPDATE DATE

2024-08-14T14:44:33.158000+00:00

SOURCES UPDATE DATE

db:	ZDI	id:	ZDI-21-174	date:	2021-02-10T00:00:00
db:	CNVD	id:	CNVD-2021-12641	date:	2021-02-26T00:00:00
db:	VULMON	id:	CVE-2021-20353	date:	2021-02-11T00:00:00
db:	JVNDB	id:	JVNDB-2021-003234	date:	2021-10-20T09:06:00
db:	CNNVD	id:	CNNVD-202102-818	date:	2021-08-05T00:00:00
db:	NVD	id:	CVE-2021-20353	date:	2021-02-11T23:03:39.650

SOURCES RELEASE DATE

db:	ZDI	id:	ZDI-21-174	date:	2021-02-10T00:00:00
db:	CNVD	id:	CNVD-2021-12641	date:	2021-02-25T00:00:00
db:	VULMON	id:	CVE-2021-20353	date:	2021-02-10T00:00:00
db:	JVNDB	id:	JVNDB-2021-003234	date:	2021-10-20T00:00:00
db:	CNNVD	id:	CNNVD-202102-818	date:	2021-02-09T00:00:00
db:	NVD	id:	CVE-2021-20353	date:	2021-02-10T17:15:22.333