Details of VAR-202201-1205

ID

VAR-202201-1205

CVE

CVE-2021-39031

TITLE

IBM WebSphere Application Server - Liberty Injection vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2022-003973

DESCRIPTION

IBM WebSphere Application Server - Liberty 17.0.0.3 through 22.0.0.1 could allow a remote authenticated attacker to conduct an LDAP injection. By using a specially crafted request, an attacker could exploit this vulnerability and could result in in granting permission to unauthorized resources. IBM X-Force ID: 213875. Vendors may IBM X-Force ID: 213875 It is published as.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The product is a platform for JavaEE and Web services applications and is the foundation of the IBM WebSphere software platform. The vulnerability stems from the lack of restrictions on LDAP in the software. Authorized resources grant permissions

Trust: 2.16

sources: NVD: CVE-2021-39031 // JVNDB: JVNDB-2022-003973 // CNVD: CNVD-2022-07636

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2022-07636

AFFECTED PRODUCTS

vendor:	ibm	model:	websphere application server	scope:	gte	version:	17.0.0.3	Trust: 1.0
vendor:	ibm	model:	websphere application server	scope:	lte	version:	22.0.0.1	Trust: 1.0
vendor:	ibm	model:	websphere application server	scope:	eq	version:	-	Trust: 0.8
vendor:	ibm	model:	websphere application server	scope:	eq	version:	17.0.0.3 to 22.0.0.1	Trust: 0.8
vendor:	ibm	model:	websphere application server	scope:	gte	version:	17.0.0.3,<=22.0.0.1	Trust: 0.6

sources: CNVD: CNVD-2022-07636 // JVNDB: JVNDB-2022-003973 // NVD: CVE-2021-39031

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-39031
value:	HIGH
Trust: 1.0
psirt@us.ibm.com:	CVE-2021-39031
value:	HIGH
Trust: 1.0
NVD:	CVE-2021-39031
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2022-07636
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202201-2274
value:	HIGH
Trust: 0.6

nvd@nist.gov:	CVE-2021-39031
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2022-07636
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2021-39031
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0
psirt@us.ibm.com:	CVE-2021-39031
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.6
impactScore:	5.9
version:	3.0
Trust: 1.0
NVD:	CVE-2021-39031
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2022-07636 // JVNDB: JVNDB-2022-003973 // CNNVD: CNNVD-202201-2274 // NVD: CVE-2021-39031 // NVD: CVE-2021-39031

PROBLEMTYPE DATA

problemtype:	CWE-74	Trust: 1.0
problemtype:	injection (CWE-74) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2022-003973 // NVD: CVE-2021-39031

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202201-2274

TYPE

injection

Trust: 0.6

sources: CNNVD: CNNVD-202201-2274

PATCH

title:	6550488 IBM X-Force Exchange	url:	https://www.ibm.com/support/pages/node/6550488	Trust: 0.8
title:	Patch for IBM WebSphere Application Server Injection Vulnerability (CNVD-2022-07636)	url:	https://www.cnvd.org.cn/patchInfo/show/316691	Trust: 0.6
title:	IBM WebSphere Application Server Repair measures for injecting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=180023	Trust: 0.6

sources: CNVD: CNVD-2022-07636 // JVNDB: JVNDB-2022-003973 // CNNVD: CNNVD-202201-2274

EXTERNAL IDS

db:	NVD	id:	CVE-2021-39031	Trust: 3.8
db:	JVNDB	id:	JVNDB-2022-003973	Trust: 0.8
db:	CNVD	id:	CNVD-2022-07636	Trust: 0.6
db:	CS-HELP	id:	SB2022012506	Trust: 0.6
db:	CS-HELP	id:	SB2022042565	Trust: 0.6
db:	CS-HELP	id:	SB2022032317	Trust: 0.6
db:	CS-HELP	id:	SB2022060710	Trust: 0.6
db:	AUSCERT	id:	ESB-2022.1856	Trust: 0.6
db:	CNNVD	id:	CNNVD-202201-2274	Trust: 0.6

sources: CNVD: CNVD-2022-07636 // JVNDB: JVNDB-2022-003973 // CNNVD: CNNVD-202201-2274 // NVD: CVE-2021-39031

REFERENCES

url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/213875	Trust: 2.2
url:	https://www.ibm.com/support/pages/node/6550488	Trust: 1.6
url:	https://nvd.nist.gov/vuln/detail/cve-2021-39031	Trust: 1.4
url:	https://vigilance.fr/vulnerability/websphere-as-liberty-privilege-escalation-via-ldap-injection-37360	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2022012506	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2022042565	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2022032317	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2022.1856	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2022060710	Trust: 0.6

sources: CNVD: CNVD-2022-07636 // JVNDB: JVNDB-2022-003973 // CNNVD: CNNVD-202201-2274 // NVD: CVE-2021-39031

SOURCES

db:	CNVD	id:	CNVD-2022-07636
db:	JVNDB	id:	JVNDB-2022-003973
db:	CNNVD	id:	CNNVD-202201-2274
db:	NVD	id:	CVE-2021-39031

LAST UPDATE DATE

2024-08-14T12:46:33.352000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2022-07636	date:	2022-01-30T00:00:00
db:	JVNDB	id:	JVNDB-2022-003973	date:	2023-03-14T04:47:00
db:	CNNVD	id:	CNNVD-202201-2274	date:	2022-06-08T00:00:00
db:	NVD	id:	CVE-2021-39031	date:	2022-01-28T21:03:04.857

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2022-07636	date:	2022-01-30T00:00:00
db:	JVNDB	id:	JVNDB-2022-003973	date:	2023-03-14T00:00:00
db:	CNNVD	id:	CNNVD-202201-2274	date:	2022-01-25T00:00:00
db:	NVD	id:	CVE-2021-39031	date:	2022-01-25T17:15:08.577