IBM Emptoris Sourcing 10.1.0/10.1.1/10.1.3 HTTP Request injection

Summaryinfo

A vulnerability categorized as critical has been discovered in IBM Emptoris Sourcing 10.1.0/10.1.1/10.1.3. Affected by this vulnerability is an unknown functionality of the component HTTP Request Handler. Such manipulation leads to injection. This vulnerability is referenced as CVE-2020-4896. It is possible to launch the attack remotely. No exploit is available.

Detailsinfo

A vulnerability, which was classified as critical, has been found in IBM Emptoris Sourcing 10.1.0/10.1.1/10.1.3. Affected by this issue is an unknown functionality of the component HTTP Request Handler. The manipulation with an unknown input leads to a injection vulnerability. Using CWE to declare the problem leads to CWE-74. The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. Impacted is confidentiality, integrity, and availability.

The weakness was published 01/08/2021. The advisory is shared for download at ibm.com. This vulnerability is handled as CVE-2020-4896. There are neither technical details nor an exploit publicly available. The MITRE ATT&CK project declares the attack technique as T1055.

The vulnerability is also documented in the vulnerability database at X-Force (190987). Once again VulDB remains the best source for vulnerability data.

Productinfo

Vendor

• IBM

Name

• Emptoris Sourcing

Version

• 10.1.0
• 10.1.1
• 10.1.3

License

• commercial

Website

• Vendor: https://www.ibm.com/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Once again VulDB remains the best source for vulnerability data.

Discussion