Vulnerability Name:

CVE-2019-14863 (CCN-173893)

Assigned:2019-12-03
Published:2019-12-03
Updated:2020-01-09
Summary:There is a vulnerability in all angular versions before 1.5.0-beta.0, where after escaping the context of the web application, the web application delivers data to its users along with other trusted dynamic content, without validating it.
CVSS v3 Severity:6.1 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
5.8 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): None
6.1 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
5.8 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
5.5 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-79
Vulnerability Consequences:Cross-Site Scripting
References:Source: MITRE
Type: CNA
CVE-2019-14863

Source: CCN
Type: AngularJS Web site
AngularJS

Source: CCN
Type: Red Hat Bugzilla – Bug 1763589
(CVE-2019-14863) - CVE-2019-14863 angular: Cross-site Scripting (XSS) due to no proper sanitization of xlink:href attributes

Source: CONFIRM
Type: Issue Tracking, Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14863

Source: XF
Type: UNKNOWN
angularjs-cve201914863-xss(173893)

Source: MISC
Type: Patch, Third Party Advisory
https://snyk.io/vuln/npm:angular:20150807

Source: CCN
Type: IBM Security Bulletin 6243446 (Data Risk Manager)
IBM Data Risk Manager is affected by multiple vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6455993 (Rational License Key Server)
IBM License Key Server Administration and Reporting Tool is impacted by multiple vulnerabilities in jQuery, Bootstrap and AngularJS

Source: CCN
Type: IBM Security Bulletin 6466723 (MQ Appliance)
IBM MQ Appliance is affected by multiple AngularJS vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6481681 (DataPower Gateway)
Multiple vulnerabilities in AngularJS

Source: CCN
Type: IBM Security Bulletin 6565389 (WebSphere Service Registry and Repository)
Multiple vulnerabilities in WebSphere Service Registry and Repository in packages such as Apache Struts and Node.js

Source: CCN
Type: IBM Security Bulletin 6998727 (Cloud Pak for Automation)
Security vulnerabilities are addressed with IBM Cloud Pak for Business

Source: CCN
Type: IBM Security Bulletin 7001343 (Business Automation Workflow containers)
Multiple vulnerabilities in angular.js may affect IBM Business Automation Workflow ( CVE-2019-14863, CVE-2020-7676, CVE-2019-10768)

Source: CCN
Type: IBM Security Bulletin 7007837 (Cloud Pak for Watson AIOps)
Multiple Vulnerabilities in CloudPak for Watson AIOPs

Vulnerable Configuration:Configuration 1:
  • cpe:/a:angularjs:angular.js:*:*:*:*:*:*:*:* (Version >= 1.0.0 and <= 1.4.14)

    • Configuration 2:
  • cpe:/a:redhat:decision_manager:7.0:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:process_automation:7.0:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:angularjs:angular.js:1.5.0:-:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:websphere_service_registry_and_repository:8.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:mq_appliance:9.1.0.0:*:*:*:continuous_delivery:*:*:*
  • OR cpe:/a:ibm:datapower_gateway:2018.4.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:mq_appliance:9.1.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:mq_appliance:9.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_license_key_server:8.1.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:mq_appliance:9.1.0.2:*:*:*:continuous_delivery:*:*:*
  • OR cpe:/a:ibm:mq_appliance:9.1.2:*:*:*:continuous_delivery:*:*:*
  • OR cpe:/a:ibm:mq_appliance:9.1.0.3:*:*:*:continuous_delivery:*:*:*
  • OR cpe:/a:ibm:mq_appliance:9.1.3:*:*:*:continuous_delivery:*:*:*
  • OR cpe:/a:ibm:mq_appliance:9.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_automation:19.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_license_key_server:8.1.6.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:mq_appliance:9.1.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:mq_appliance:9.1.4:*:*:*:continuous_delivery:*:*:*
  • OR cpe:/a:ibm:data_risk_manager:2.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:data_risk_manager:2.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:data_risk_manager:2.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:data_risk_manager:2.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:data_risk_manager:2.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:data_risk_manager:2.0.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_automation:20.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:data_risk_manager:2.0.6.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:data_risk_manager:2.0.6.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_license_key_server:8.1.6.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_license_key_server:8.1.6.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_license_key_server:8.1.6.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:mq_appliance:9.1.5:*:*:*:continuous_delivery:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_automation:20.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:mq_appliance:9.1.0.6:*:*:*:lts:*:*:*
  • OR cpe:/a:ibm:mq_appliance:9.2.0.0:*:*:*:continuous_delivery:*:*:*
  • OR cpe:/a:ibm:rational_license_key_server:8.1.6.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:datapower_gateway:10.0.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:mq_appliance:9.2.0.1:*:*:*:continuous_delivery:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_automation:20.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_automation:21.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_automation:21.0.2:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:mq_appliance:9.2.0.2:*:*:*:continuous_delivery:*:*:*
  • OR cpe:/a:ibm:datapower_gateway:10.0.1.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:datapower_gateway:10.0.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_automation:19.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:business_automation_workflow:20.0.0.1:-:*:*:containers:*:*:*
  • OR cpe:/a:ibm:business_automation_workflow:20.0.0.1:*:*:*:traditional:*:*:*
  • OR cpe:/a:ibm:business_automation_workflow:20.0.0.2:*:*:*:traditional:*:*:*
  • OR cpe:/a:ibm:business_automation_workflow:21.0.1:*:*:*:traditional:*:*:*
  • OR cpe:/a:ibm:business_automation_workflow:20.0.0.2:-:*:*:containers:*:*:*
  • OR cpe:/a:ibm:business_automation_workflow:21.0.3:-:*:*:containers:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_automation:19.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:18.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:18.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:19.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:19.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:20.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:20.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:21.0.1:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:21.0.2:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:21.0.3:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:business_automation_workflow:21.0.2:-:*:*:containers:*:*:*
  • OR cpe:/a:ibm:business_automation_workflow:22.0.1:-:*:*:containers:*:*:*
  • OR cpe:/a:ibm:business_automation_workflow:22.0.1:*:*:*:traditional:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:22.0.1:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:business_automation_workflow:21.0.3.1:*:*:*:traditional:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:22.0.2:-:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:com.ubuntu.disco:def:2019148630000000
    V
    		CVE-2019-14863 on Ubuntu 19.04 (disco) - low.
    2020-01-02
    oval:com.ubuntu.bionic:def:2019148630000000
    V
    		CVE-2019-14863 on Ubuntu 18.04 LTS (bionic) - low.
    2020-01-02
    oval:com.ubuntu.xenial:def:2019148630000000
    V
    		CVE-2019-14863 on Ubuntu 16.04 LTS (xenial) - low.
    2020-01-02
    BACK
    angularjs angular.js *
    redhat decision manager 7.0
    redhat process automation 7.0
    angularjs angular.js 1.5.0 -
    ibm websphere service registry and repository 8.5
    ibm mq appliance 9.1.0.0
    ibm datapower gateway 2018.4.1.0
    ibm mq appliance 9.1.0.1
    ibm mq appliance 9.1.1
    ibm rational license key server 8.1.6
    ibm mq appliance 9.1.0.2
    ibm mq appliance 9.1.2
    ibm mq appliance 9.1.0.3
    ibm mq appliance 9.1.3
    ibm mq appliance 9.1
    ibm cloud pak for automation 19.0.3
    ibm rational license key server 8.1.6.2
    ibm mq appliance 9.1.0.4
    ibm mq appliance 9.1.4
    ibm data risk manager 2.0.1
    ibm data risk manager 2.0.2
    ibm data risk manager 2.0.3
    ibm data risk manager 2.0.4
    ibm data risk manager 2.0.5
    ibm data risk manager 2.0.6
    ibm cloud pak for automation 20.0.1
    ibm data risk manager 2.0.6.1
    ibm data risk manager 2.0.6.2
    ibm rational license key server 8.1.6.1
    ibm rational license key server 8.1.6.3
    ibm rational license key server 8.1.6.4
    ibm mq appliance 9.1.5
    ibm cloud pak for automation 20.0.2
    ibm mq appliance 9.1.0.6
    ibm mq appliance 9.2.0.0
    ibm rational license key server 8.1.6.5
    ibm datapower gateway 10.0.1.0
    ibm mq appliance 9.2.0.1
    ibm cloud pak for automation 20.0.3
    ibm cloud pak for automation 21.0.1
    ibm cloud pak for automation 21.0.2 -
    ibm mq appliance 9.2.0.2
    ibm datapower gateway 10.0.1.4
    ibm datapower gateway 10.0.2.0
    ibm cloud pak for automation 19.0.1
    ibm business automation workflow 20.0.0.1 -
    ibm business automation workflow 20.0.0.1
    ibm business automation workflow 20.0.0.2
    ibm business automation workflow 21.0.1
    ibm business automation workflow 20.0.0.2 -
    ibm business automation workflow 21.0.3 -
    ibm cloud pak for automation 19.0.2
    ibm cloud pak for business automation 18.0.0
    ibm cloud pak for business automation 18.0.2
    ibm cloud pak for business automation 19.0.1
    ibm cloud pak for business automation 19.0.3
    ibm cloud pak for business automation 20.0.1
    ibm cloud pak for business automation 20.0.3
    ibm cloud pak for business automation 21.0.1 -
    ibm cloud pak for business automation 21.0.2 -
    ibm cloud pak for business automation 21.0.3 -
    ibm business automation workflow 21.0.2 -
    ibm business automation workflow 22.0.1 -
    ibm business automation workflow 22.0.1
    ibm cloud pak for business automation 22.0.1 -
    ibm business automation workflow 21.0.3.1
    ibm cloud pak for business automation 22.0.2 -