| Vulnerability Name: | CVE-2020-4498 (CCN-182118) |
| Assigned: | 2019-12-30 |
| Published: | 2020-07-23 |
| Updated: | 2021-07-21 |
| Summary: | IBM MQ Appliance 9.1 LTS and 9.1 CD could allow a local privileged user to obtain highly sensitve information due to inclusion of data within trace files. IBM X-Force ID: 182118.
|
| CVSS v3 Severity: | 4.4 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)
3.9 Low (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)| Exploitability Metrics: | Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): High
User Interaction (UI): None | | Scope: | Scope (S): Unchanged
| | Impact Metrics: | Confidentiality (C): High
Integrity (I): None
Availibility (A): None |
4.1 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N)
3.6 Low (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)| Exploitability Metrics: | Attack Vector (AV): Local
Attack Complexity (AC): High
Privileges Required (PR): High
User Interaction (UI): None | | Scope: | Scope (S): Unchanged
| | Impact Metrics: | Confidentiality (C): High
Integrity (I): None
Availibility (A): None |
|
| CVSS v2 Severity: | 2.1 Low (CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N)| Exploitability Metrics: | Access Vector (AV): Local
Access Complexity (AC): Low
Authentication (Au): None | | Impact Metrics: | Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None |
3.8 Low (CCN CVSS v2 Vector: AV:L/AC:H/Au:S/C:C/I:N/A:N)| Exploitability Metrics: | Access Vector (AV): Local
Access Complexity (AC): High
Athentication (Au): Single_Instance
| | Impact Metrics: | Confidentiality (C): Complete
Integrity (I): None
Availibility (A): None |
|
| Vulnerability Type: | CWE-200
|
| Vulnerability Consequences: | Obtain Information |
| References: | Source: MITRE
Type: CNA
CVE-2020-4498
Source: XF
Type: UNKNOWN
ibm-mq-cve20204498-info-disc(182118)
Source: XF
Type: VDB Entry, Vendor Advisory
ibm-mq-cve20204498-info-disc (182118)
Source: CCN
Type: IBM Security Bulletin 6252409 (MQ Appliance)
IBM MQ Appliance is affected by an information disclosure vulnerability (CVE-2020-4498)
Source: CONFIRM
Type: Patch, Vendor Advisory
https://www.ibm.com/support/pages/node/6252409
Source: CCN
Type: IBM Security Bulletin 6380782 (App Connect Enterprise Certified Container)
App Connect Enterprise Certified Container Integration Servers could allow information exposure when using MQ (CVE-2020-4498)
|
| Vulnerable Configuration: | Configuration 1:
cpe:/a:ibm:mq_appliance:*:*:*:*:continuous_delivery:*:*:* (Version >= 9.1.0.0 and < 9.2.0.0)OR cpe:/a:ibm:mq_appliance:*:*:*:*:lts:*:*:* (Version >= 9.1.0.0 and < 9.1.0.6)
Configuration CCN 1:
cpe:/a:ibm:mq_appliance:9.1.0.0:*:*:*:continuous_delivery:*:*:*OR cpe:/a:ibm:mq_appliance:9.1.0.1:*:*:*:*:*:*:*OR cpe:/a:ibm:mq_appliance:9.1.1:*:*:*:*:*:*:*OR cpe:/a:ibm:mq_appliance:9.1.0.2:*:*:*:continuous_delivery:*:*:*OR cpe:/a:ibm:mq_appliance:9.1.2:*:*:*:continuous_delivery:*:*:*OR cpe:/a:ibm:mq_appliance:9.1.0.3:*:*:*:continuous_delivery:*:*:*OR cpe:/a:ibm:mq_appliance:9.1.3:*:*:*:continuous_delivery:*:*:*OR cpe:/a:ibm:mq_appliance:9.1.0.4:*:*:*:*:*:*:*OR cpe:/a:ibm:mq_appliance:9.1.4:*:*:*:continuous_delivery:*:*:*OR cpe:/a:ibm:mq_appliance:9.1.5:*:*:*:continuous_delivery:*:*:*AND cpe:/a:ibm:app_connect_enterprise_certified_container:1.0.0:*:*:*:*:*:*:*OR cpe:/a:ibm:app_connect_enterprise_certified_container:1.0.1:*:*:*:*:*:*:*OR cpe:/a:ibm:app_connect_enterprise_certified_container:1.0.2:*:*:*:*:*:*:*OR cpe:/a:ibm:app_connect_enterprise_certified_container:1.0.3:*:*:*:*:*:*:*OR cpe:/a:ibm:app_connect_enterprise_certified_container:1.0.4:*:*:*:*:*:*:*
 Denotes that component is vulnerable |
| BACK |