Multiple vulnerabilities in IBM Process Mining

1) Deserialization of Untrusted Data

EUVDB-ID: #VU25833

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2019-14892

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data of a malicious object using commons-configuration 1 and 2 JNDI classes. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install update from vendor's website.

IBM Process Mining: 1.12.0.3

• cpe:2.3:a:ibm_corporation:ibm_process_mining:1.12.0.3:*:*:*:*:*:*:*

http://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jackson-databind-affects-ibm-process-mining-multiple-cves/
http://www.ibm.com/support/pages/node/6593435

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Deserialization of Untrusted Data

EUVDB-ID: #VU49380

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2020-35491

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install update from vendor's website.

IBM Process Mining: 1.12.0.3

• cpe:2.3:a:ibm_corporation:ibm_process_mining:1.12.0.3:*:*:*:*:*:*:*

http://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jackson-databind-affects-ibm-process-mining-multiple-cves/
http://www.ibm.com/support/pages/node/6593435

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Deserialization of Untrusted Data

EUVDB-ID: #VU49379

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2020-35490

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install update from vendor's website.

IBM Process Mining: 1.12.0.3

• cpe:2.3:a:ibm_corporation:ibm_process_mining:1.12.0.3:*:*:*:*:*:*:*

http://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jackson-databind-affects-ibm-process-mining-multiple-cves/
http://www.ibm.com/support/pages/node/6593435

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Deserialization of Untrusted Data

EUVDB-ID: #VU49375

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2020-36186

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install update from vendor's website.

IBM Process Mining: 1.12.0.3

• cpe:2.3:a:ibm_corporation:ibm_process_mining:1.12.0.3:*:*:*:*:*:*:*

http://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jackson-databind-affects-ibm-process-mining-multiple-cves/
http://www.ibm.com/support/pages/node/6593435

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Deserialization of Untrusted Data

EUVDB-ID: #VU26488

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2020-11111

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data between serialization gadgets and typing, related to org.apache.activemq.*. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install update from vendor's website.

IBM Process Mining: 1.12.0.3

• cpe:2.3:a:ibm_corporation:ibm_process_mining:1.12.0.3:*:*:*:*:*:*:*

http://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jackson-databind-affects-ibm-process-mining-multiple-cves/
http://www.ibm.com/support/pages/node/6593435

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Input validation error

EUVDB-ID: #VU17779

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2018-19361

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

The disclosed vulnerability allows a remote attacker to cause DoS condition or execute arbitrary code.

The vulnerability exists due to fail to block the openjpa class from polymorphic deserialization. A remote attacker can send a specially crafted request that submits malicious input to perform unauthorized actions on the system, which could allow the attacker to execute arbitrary code or cause a denial of service (DoS) condition.

Install update from vendor's website.

IBM Process Mining: 1.12.0.3

• cpe:2.3:a:ibm_corporation:ibm_process_mining:1.12.0.3:*:*:*:*:*:*:*

http://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jackson-databind-affects-ibm-process-mining-multiple-cves/
http://www.ibm.com/support/pages/node/6593435

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Information disclosure

EUVDB-ID: #VU19937

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2019-14439

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a polymorphic typing issue when Default Typing is enabled for an externally exposed JSON endpoint and the service has the logback jar in the classpath. A remote attacker can send a specially crafted JSON message and gain unauthorized access to sensitive information on the system.

Install update from vendor's website.

IBM Process Mining: 1.12.0.3

• cpe:2.3:a:ibm_corporation:ibm_process_mining:1.12.0.3:*:*:*:*:*:*:*

http://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jackson-databind-affects-ibm-process-mining-multiple-cves/
http://www.ibm.com/support/pages/node/6593435

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Input validation error

EUVDB-ID: #VU21750

Risk: Medium

CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2019-17531

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

The vulnerability allows a remote attacker to compromise the affected software.

The vulnerability exists due to a Polymorphic Typing in jackson-databind when processing JSON requests. A remote attacker can send specially crafted JSON data to JNDI service and execute a malicious payload.

Successful exploitation of the vulnerability requires that Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath.

Install update from vendor's website.

IBM Process Mining: 1.12.0.3

• cpe:2.3:a:ibm_corporation:ibm_process_mining:1.12.0.3:*:*:*:*:*:*:*

http://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jackson-databind-affects-ibm-process-mining-multiple-cves/
http://www.ibm.com/support/pages/node/6593435

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Code Injection

EUVDB-ID: #VU46305

Risk: High

CVSSv4.0: 8.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]

CVE-ID: CVE-2020-24616

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

Exploit availability: Yes

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP).

Install update from vendor's website.

IBM Process Mining: 1.12.0.3

• cpe:2.3:a:ibm_corporation:ibm_process_mining:1.12.0.3:*:*:*:*:*:*:*

http://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jackson-databind-affects-ibm-process-mining-multiple-cves/
http://www.ibm.com/support/pages/node/6593435

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

10) Deserialization of Untrusted Data

EUVDB-ID: #VU26493

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2020-10672

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install update from vendor's website.

IBM Process Mining: 1.12.0.3

• cpe:2.3:a:ibm_corporation:ibm_process_mining:1.12.0.3:*:*:*:*:*:*:*

http://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jackson-databind-affects-ibm-process-mining-multiple-cves/
http://www.ibm.com/support/pages/node/6593435

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

11) Deserialization of Untrusted Data

EUVDB-ID: #VU49367

Risk: High

CVSSv4.0: 8.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]

CVE-ID: CVE-2020-36188

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: Yes

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install update from vendor's website.

IBM Process Mining: 1.12.0.3

• cpe:2.3:a:ibm_corporation:ibm_process_mining:1.12.0.3:*:*:*:*:*:*:*

http://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jackson-databind-affects-ibm-process-mining-multiple-cves/
http://www.ibm.com/support/pages/node/6593435

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

12) Deserialization of Untrusted Data

EUVDB-ID: #VU25832

Risk: High

CVSSv4.0: 8.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]

CVE-ID: CVE-2020-9548

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: Yes

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data between serialization gadgets and typing. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Note: This vulnerability is related to:

• br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core)

Install update from vendor's website.

IBM Process Mining: 1.12.0.3

• cpe:2.3:a:ibm_corporation:ibm_process_mining:1.12.0.3:*:*:*:*:*:*:*

http://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jackson-databind-affects-ibm-process-mining-multiple-cves/
http://www.ibm.com/support/pages/node/6593435

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

13) Deserialization of Untrusted Data

EUVDB-ID: #VU26492

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2020-10969

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data between serialization gadgets and typing, related to  javax.swing.JEditorPane. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install update from vendor's website.

IBM Process Mining: 1.12.0.3

• cpe:2.3:a:ibm_corporation:ibm_process_mining:1.12.0.3:*:*:*:*:*:*:*

http://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jackson-databind-affects-ibm-process-mining-multiple-cves/
http://www.ibm.com/support/pages/node/6593435

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

14) Deserialization of Untrusted Data

EUVDB-ID: #VU49374

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2020-36185

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install update from vendor's website.

IBM Process Mining: 1.12.0.3

• cpe:2.3:a:ibm_corporation:ibm_process_mining:1.12.0.3:*:*:*:*:*:*:*

http://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jackson-databind-affects-ibm-process-mining-multiple-cves/
http://www.ibm.com/support/pages/node/6593435

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

15) Improper access control

EUVDB-ID: #VU24272

Risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2019-20330

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions related to net.sf.ehcache in FasterXML jackson-databind. A remote attacker can bypass implemented security restrictions and gain unauthorized access to the application.

Install update from vendor's website.

IBM Process Mining: 1.12.0.3

• cpe:2.3:a:ibm_corporation:ibm_process_mining:1.12.0.3:*:*:*:*:*:*:*

http://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jackson-databind-affects-ibm-process-mining-multiple-cves/
http://www.ibm.com/support/pages/node/6593435

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

16) Deserialization of Untrusted Data

EUVDB-ID: #VU49376

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2020-36187

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install update from vendor's website.

IBM Process Mining: 1.12.0.3

• cpe:2.3:a:ibm_corporation:ibm_process_mining:1.12.0.3:*:*:*:*:*:*:*

http://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jackson-databind-affects-ibm-process-mining-multiple-cves/
http://www.ibm.com/support/pages/node/6593435

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

17) Information disclosure

EUVDB-ID: #VU19941

Risk: Medium

CVSSv4.0: 7.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green]

CVE-ID: CVE-2019-12086

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a polymorphic typing issue when Default Typing is enabled for an externally exposed JSON endpoint and the service has the mysql-connector-java jar in the classpath. A remote attacker can send a specially crafted JSON message and read arbitrary local files on the server due to the missing "com.mysql.cj.jdbc.admin.MiniAdmin" validation.

Install update from vendor's website.

IBM Process Mining: 1.12.0.3

• cpe:2.3:a:ibm_corporation:ibm_process_mining:1.12.0.3:*:*:*:*:*:*:*

http://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jackson-databind-affects-ibm-process-mining-multiple-cves/
http://www.ibm.com/support/pages/node/6593435

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

18) Deserialization of Untrusted Data

EUVDB-ID: #VU49967

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2021-20190

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install update from vendor's website.

IBM Process Mining: 1.12.0.3

• cpe:2.3:a:ibm_corporation:ibm_process_mining:1.12.0.3:*:*:*:*:*:*:*

http://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jackson-databind-affects-ibm-process-mining-multiple-cves/
http://www.ibm.com/support/pages/node/6593435

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

19) Input validation error

EUVDB-ID: #VU17781

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2018-19362

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

The disclosed vulnerability allows a remote attacker to cause DoS condition or execute arbitrary code.

The vulnerability exists due to fail to block the jboss-common-coreclass from polymorphic deserialization. A remote attacker can send a specially crafted request that submits malicious input to perform unauthorized actions on the system, which could allow the attacker to execute arbitrary code or cause a denial of service (DoS) condition.

Install update from vendor's website.

IBM Process Mining: 1.12.0.3

• cpe:2.3:a:ibm_corporation:ibm_process_mining:1.12.0.3:*:*:*:*:*:*:*

http://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jackson-databind-affects-ibm-process-mining-multiple-cves/
http://www.ibm.com/support/pages/node/6593435

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

20) Input validation error

EUVDB-ID: #VU21594

Risk: Medium

CVSSv4.0: 7.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2019-17267

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

The vulnerability allows a remote attacker to compromise the affected application.

The vulnerability exists due to a Polymorphic Typing issue within the net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup component. A remote attacker can execute arbitrary code on he system.

Install update from vendor's website.

IBM Process Mining: 1.12.0.3

• cpe:2.3:a:ibm_corporation:ibm_process_mining:1.12.0.3:*:*:*:*:*:*:*

http://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jackson-databind-affects-ibm-process-mining-multiple-cves/
http://www.ibm.com/support/pages/node/6593435

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

21) Deserialization of Untrusted Data

EUVDB-ID: #VU26489

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2020-11112

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data between serialization gadgets and typing, related to org.apache.commons.proxy.provider.remoting.RmiProvider. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install update from vendor's website.

IBM Process Mining: 1.12.0.3

• cpe:2.3:a:ibm_corporation:ibm_process_mining:1.12.0.3:*:*:*:*:*:*:*

http://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jackson-databind-affects-ibm-process-mining-multiple-cves/
http://www.ibm.com/support/pages/node/6593435

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

22) Server-Side Request Forgery (SSRF)

EUVDB-ID: #VU17776

Risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2018-14721

CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)

Exploit availability: No

The disclosed vulnerability allows a remote attacker to perform SSRF attacks.

The vulnerability exists due to fail to block the axis2-jaxws class from polymorphic deserialization. A remote attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.

Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.

Install update from vendor's website.

IBM Process Mining: 1.12.0.3

• cpe:2.3:a:ibm_corporation:ibm_process_mining:1.12.0.3:*:*:*:*:*:*:*

http://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jackson-databind-affects-ibm-process-mining-multiple-cves/
http://www.ibm.com/support/pages/node/6593435

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

23) Deserialization of Untrusted Data

EUVDB-ID: #VU47105

Risk: High

CVSSv4.0: 7.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]

CVE-ID: CVE-2020-24750

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: Yes

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration. A remote attacker can execute arbitrary code on the target system.

Install update from vendor's website.

IBM Process Mining: 1.12.0.3

• cpe:2.3:a:ibm_corporation:ibm_process_mining:1.12.0.3:*:*:*:*:*:*:*

http://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jackson-databind-affects-ibm-process-mining-multiple-cves/
http://www.ibm.com/support/pages/node/6593435

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

24) Deserialization of Untrusted Data

EUVDB-ID: #VU49369

Risk: High

CVSSv4.0: 8.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]

CVE-ID: CVE-2020-36180

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: Yes

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install update from vendor's website.

IBM Process Mining: 1.12.0.3

• cpe:2.3:a:ibm_corporation:ibm_process_mining:1.12.0.3:*:*:*:*:*:*:*

http://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jackson-databind-affects-ibm-process-mining-multiple-cves/
http://www.ibm.com/support/pages/node/6593435

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

25) Remote code execution

EUVDB-ID: #VU17053

Risk: High

CVSSv4.0: 7.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2018-14718

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to the failure to block the slf4j-ext class from polymorphic deserialization. A remote attacker can execute arbitrary code with elevated privileges.

Install update from vendor's website.

IBM Process Mining: 1.12.0.3

• cpe:2.3:a:ibm_corporation:ibm_process_mining:1.12.0.3:*:*:*:*:*:*:*

http://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jackson-databind-affects-ibm-process-mining-multiple-cves/
http://www.ibm.com/support/pages/node/6593435

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

26) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU19933

Risk: High

CVSSv4.0: 6.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2019-14379

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on a targeted system.

The vulnerability exists due to the "SubTypeValidator.java" file mishandles default typing when Ehcache is used. A remote attacker can send a request that submits malicious input to the targeted system and execute arbitrary code.

Install update from vendor's website.

IBM Process Mining: 1.12.0.3

• cpe:2.3:a:ibm_corporation:ibm_process_mining:1.12.0.3:*:*:*:*:*:*:*

http://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jackson-databind-affects-ibm-process-mining-multiple-cves/
http://www.ibm.com/support/pages/node/6593435

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

27) Deserialization of Untrusted Data

EUVDB-ID: #VU49378

Risk: High

CVSSv4.0: 8.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]

CVE-ID: CVE-2020-35728

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: Yes

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl). A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install update from vendor's website.

IBM Process Mining: 1.12.0.3

• cpe:2.3:a:ibm_corporation:ibm_process_mining:1.12.0.3:*:*:*:*:*:*:*

http://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jackson-databind-affects-ibm-process-mining-multiple-cves/
http://www.ibm.com/support/pages/node/6593435

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

28) Deserialization of Untrusted Data

EUVDB-ID: #VU25830

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2020-9546

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data between serialization gadgets and typing. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Note: This vulnerability is related to:

• org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config)

Install update from vendor's website.

IBM Process Mining: 1.12.0.3

• cpe:2.3:a:ibm_corporation:ibm_process_mining:1.12.0.3:*:*:*:*:*:*:*

http://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jackson-databind-affects-ibm-process-mining-multiple-cves/
http://www.ibm.com/support/pages/node/6593435

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

29) Deserialization of Untrusted Data

EUVDB-ID: #VU27032

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2020-11620

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to the affected software mishandles the interaction between serialization gadgets and typing, related to "org.apache.commons.jelly.impl.Embedded" (aka commons-jelly). A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install update from vendor's website.

IBM Process Mining: 1.12.0.3

• cpe:2.3:a:ibm_corporation:ibm_process_mining:1.12.0.3:*:*:*:*:*:*:*

http://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jackson-databind-affects-ibm-process-mining-multiple-cves/
http://www.ibm.com/support/pages/node/6593435

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

30) Deserialization of Untrusted Data

EUVDB-ID: #VU49370

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2020-36182

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install update from vendor's website.

IBM Process Mining: 1.12.0.3

• cpe:2.3:a:ibm_corporation:ibm_process_mining:1.12.0.3:*:*:*:*:*:*:*

http://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jackson-databind-affects-ibm-process-mining-multiple-cves/
http://www.ibm.com/support/pages/node/6593435

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

31) Deserialization of Untrusted Data

EUVDB-ID: #VU49372

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2020-36181

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install update from vendor's website.

IBM Process Mining: 1.12.0.3

• cpe:2.3:a:ibm_corporation:ibm_process_mining:1.12.0.3:*:*:*:*:*:*:*

http://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jackson-databind-affects-ibm-process-mining-multiple-cves/
http://www.ibm.com/support/pages/node/6593435

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

32) Code Injection

EUVDB-ID: #VU25469

Risk: Medium

CVSSv4.0: 2.9 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/U:Green]

CVE-ID: CVE-2020-8840

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

Exploit availability: Yes

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to absence of xbean-reflect/JNDI gadget blocking. A remote attacker can pass specially crafted input to the application and execute arbitrary Java code on the system, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install update from vendor's website.

IBM Process Mining: 1.12.0.3

• cpe:2.3:a:ibm_corporation:ibm_process_mining:1.12.0.3:*:*:*:*:*:*:*

http://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jackson-databind-affects-ibm-process-mining-multiple-cves/
http://www.ibm.com/support/pages/node/6593435

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

33) Deserialization of Untrusted Data

EUVDB-ID: #VU29128

Risk: High

CVSSv4.0: 8.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]

CVE-ID: CVE-2020-14195

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: Yes

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data related to org.jsecurity.realm.jndi.JndiRealmFactory (aka org.jsecurity). A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install update from vendor's website.

IBM Process Mining: 1.12.0.3

• cpe:2.3:a:ibm_corporation:ibm_process_mining:1.12.0.3:*:*:*:*:*:*:*

http://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jackson-databind-affects-ibm-process-mining-multiple-cves/
http://www.ibm.com/support/pages/node/6593435

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

34) Input validation error

EUVDB-ID: #VU21593

Risk: Medium

CVSSv4.0: 7.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2019-16943

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

The vulnerability allows a remote attacker to compromise the affected application.

The vulnerability exists due to a Polymorphic Typing issue when processing JSON requests  within the com.p6spy.engine.spy.P6DataSource component. A remote attacker can send specially crafted JSON data to an RMI service endpoint and execute arbitrary code on he system.

Successful exploitation of the vulnerability requires that Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to send requests to.

Install update from vendor's website.

IBM Process Mining: 1.12.0.3

• cpe:2.3:a:ibm_corporation:ibm_process_mining:1.12.0.3:*:*:*:*:*:*:*

http://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jackson-databind-affects-ibm-process-mining-multiple-cves/
http://www.ibm.com/support/pages/node/6593435

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

35) Information disclosure

EUVDB-ID: #VU21135

Risk: Medium

CVSSv4.0: 5.5 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green]

CVE-ID: CVE-2019-14540

CWE-ID: CWE-200 - Information exposure

Exploit availability: Yes

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a polymorphic typing issue in the "com.zaxxer.hikari.HikariConfig". A remote attacker can gain unauthorized access to sensitive information on the system.

Install update from vendor's website.

IBM Process Mining: 1.12.0.3

• cpe:2.3:a:ibm_corporation:ibm_process_mining:1.12.0.3:*:*:*:*:*:*:*

http://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jackson-databind-affects-ibm-process-mining-multiple-cves/
http://www.ibm.com/support/pages/node/6593435

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

36) Input validation error

EUVDB-ID: #VU21470

Risk: High

CVSSv4.0: 6.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2019-10202

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on the system.

Install update from vendor's website.

IBM Process Mining: 1.12.0.3

• cpe:2.3:a:ibm_corporation:ibm_process_mining:1.12.0.3:*:*:*:*:*:*:*

http://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jackson-databind-affects-ibm-process-mining-multiple-cves/
http://www.ibm.com/support/pages/node/6593435

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

37) XML External Entity injection

EUVDB-ID: #VU48979

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2020-25649

CWE-ID: CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')

Exploit availability: No

The vulnerability allows a remote attacker to modify information on the system.

The vulnerability exists due to insufficient validation of user-supplied XML input. A remote attacker can pass a specially crafted XML code to the affected application and modify information on the system.

Install update from vendor's website.

IBM Process Mining: 1.12.0.3

• cpe:2.3:a:ibm_corporation:ibm_process_mining:1.12.0.3:*:*:*:*:*:*:*

http://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jackson-databind-affects-ibm-process-mining-multiple-cves/
http://www.ibm.com/support/pages/node/6593435

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

38) Deserialization of Untrusted Data

EUVDB-ID: #VU25834

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2019-14893

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as "enableDefaultTyping()" or when @JsonTypeInfo is using "Id.CLASS" or "Id.MINIMAL_CLASS" or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install update from vendor's website.

IBM Process Mining: 1.12.0.3

• cpe:2.3:a:ibm_corporation:ibm_process_mining:1.12.0.3:*:*:*:*:*:*:*

http://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jackson-databind-affects-ibm-process-mining-multiple-cves/
http://www.ibm.com/support/pages/node/6593435

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

39) Deserialization of Untrusted Data

EUVDB-ID: #VU27031

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2020-11619

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to affected software mishandles the interaction between serialization gadgets and typing, related to "org.springframework.aop.config.MethodLocatingFactoryBean" (aka spring-aop). A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install update from vendor's website.

IBM Process Mining: 1.12.0.3

• cpe:2.3:a:ibm_corporation:ibm_process_mining:1.12.0.3:*:*:*:*:*:*:*

http://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jackson-databind-affects-ibm-process-mining-multiple-cves/
http://www.ibm.com/support/pages/node/6593435

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

40) Deserialization of Untrusted Data

EUVDB-ID: #VU29131

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2020-14061

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and oracle.jms.AQjmsXAConnectionFactory (aka weblogic/oracle-aqjms). A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install update from vendor's website.

IBM Process Mining: 1.12.0.3

• cpe:2.3:a:ibm_corporation:ibm_process_mining:1.12.0.3:*:*:*:*:*:*:*

http://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jackson-databind-affects-ibm-process-mining-multiple-cves/
http://www.ibm.com/support/pages/node/6593435

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

41) Deserialization of Untrusted Data

EUVDB-ID: #VU26490

Risk: High

CVSSv4.0: 8.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]

CVE-ID: CVE-2020-11113

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: Yes

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install update from vendor's website.

IBM Process Mining: 1.12.0.3

• cpe:2.3:a:ibm_corporation:ibm_process_mining:1.12.0.3:*:*:*:*:*:*:*

http://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jackson-databind-affects-ibm-process-mining-multiple-cves/
http://www.ibm.com/support/pages/node/6593435

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

42) Information disclosure

EUVDB-ID: #VU18961

Risk: Medium

CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2019-12814

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Install update from vendor's website.

IBM Process Mining: 1.12.0.3

• cpe:2.3:a:ibm_corporation:ibm_process_mining:1.12.0.3:*:*:*:*:*:*:*

http://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jackson-databind-affects-ibm-process-mining-multiple-cves/
http://www.ibm.com/support/pages/node/6593435

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

43) Deserialization of Untrusted Data

EUVDB-ID: #VU49377

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2020-36189

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install update from vendor's website.

IBM Process Mining: 1.12.0.3

• cpe:2.3:a:ibm_corporation:ibm_process_mining:1.12.0.3:*:*:*:*:*:*:*

http://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jackson-databind-affects-ibm-process-mining-multiple-cves/
http://www.ibm.com/support/pages/node/6593435

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

44) Input validation error

EUVDB-ID: #VU17778

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2018-14719

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

The disclosed vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to fail to block blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization. A remote attacker can send a specially crafted request that submits malicious input to execute arbitrary code.

Successful exploitation of the vulnerability may result in system compromise.

Install update from vendor's website.

IBM Process Mining: 1.12.0.3

• cpe:2.3:a:ibm_corporation:ibm_process_mining:1.12.0.3:*:*:*:*:*:*:*

http://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jackson-databind-affects-ibm-process-mining-multiple-cves/
http://www.ibm.com/support/pages/node/6593435

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

45) Deserialization of Untrusted Data

EUVDB-ID: #VU49368

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2020-36179

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install update from vendor's website.

IBM Process Mining: 1.12.0.3

• cpe:2.3:a:ibm_corporation:ibm_process_mining:1.12.0.3:*:*:*:*:*:*:*

http://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jackson-databind-affects-ibm-process-mining-multiple-cves/
http://www.ibm.com/support/pages/node/6593435

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

46) Deserialization of Untrusted Data

EUVDB-ID: #VU25831

Risk: High

CVSSv4.0: 8.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]

CVE-ID: CVE-2020-9547

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: Yes

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data between serialization gadgets and typing. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Note: This vulnerability is related to:

• com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap)

Install update from vendor's website.

IBM Process Mining: 1.12.0.3

• cpe:2.3:a:ibm_corporation:ibm_process_mining:1.12.0.3:*:*:*:*:*:*:*

http://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jackson-databind-affects-ibm-process-mining-multiple-cves/
http://www.ibm.com/support/pages/node/6593435

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

47) Deserialization of Untrusted Data

EUVDB-ID: #VU49373

Risk: High

CVSSv4.0: 8.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]

CVE-ID: CVE-2020-36184

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: Yes

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install update from vendor's website.

IBM Process Mining: 1.12.0.3

• cpe:2.3:a:ibm_corporation:ibm_process_mining:1.12.0.3:*:*:*:*:*:*:*

http://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jackson-databind-affects-ibm-process-mining-multiple-cves/
http://www.ibm.com/support/pages/node/6593435

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

48) Deserialization of Untrusted Data

EUVDB-ID: #VU49371

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2020-36183

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install update from vendor's website.

IBM Process Mining: 1.12.0.3

• cpe:2.3:a:ibm_corporation:ibm_process_mining:1.12.0.3:*:*:*:*:*:*:*

http://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jackson-databind-affects-ibm-process-mining-multiple-cves/
http://www.ibm.com/support/pages/node/6593435

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

49) Deserialization of Untrusted Data

EUVDB-ID: #VU19018

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2019-12384

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to software allows the logback-core class to process polymorphic deserialization. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install update from vendor's website.

IBM Process Mining: 1.12.0.3

• cpe:2.3:a:ibm_corporation:ibm_process_mining:1.12.0.3:*:*:*:*:*:*:*

http://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jackson-databind-affects-ibm-process-mining-multiple-cves/
http://www.ibm.com/support/pages/node/6593435

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

50) Deserialization of Untrusted Data

EUVDB-ID: #VU26494

Risk: High

CVSSv4.0: 8.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]

CVE-ID: CVE-2020-10673

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: Yes

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install update from vendor's website.

IBM Process Mining: 1.12.0.3

• cpe:2.3:a:ibm_corporation:ibm_process_mining:1.12.0.3:*:*:*:*:*:*:*

http://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jackson-databind-affects-ibm-process-mining-multiple-cves/
http://www.ibm.com/support/pages/node/6593435

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

51) Input validation error

EUVDB-ID: #VU21580

Risk: Medium

CVSSv4.0: 7.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2019-16942

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

The vulnerability allows a remote attacker to compromise the affected application.

The vulnerability exists due to a Polymorphic Typing issue when processing JSON requests  within the org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSourc components. A remote attacker can send specially crafted JSON data to an RMI service endpoint and execute arbitrary code on he system.

Successful exploitation of the vulnerability requires that Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to send requests to.

Install update from vendor's website.

IBM Process Mining: 1.12.0.3

• cpe:2.3:a:ibm_corporation:ibm_process_mining:1.12.0.3:*:*:*:*:*:*:*

http://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jackson-databind-affects-ibm-process-mining-multiple-cves/
http://www.ibm.com/support/pages/node/6593435

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

52) Input validation error

EUVDB-ID: #VU17780

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2018-19360

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

The disclosed vulnerability allows a remote attacker to cause DoS condition or execute arbitrary code.

The vulnerability exists due to fail to block the axis2-transport-jmsclass from polymorphic deserialization. A remote attacker can send a specially crafted request that submits malicious input to perform unauthorized actions on the system, which could allow the attacker to execute arbitrary code or cause a denial of service (DoS) condition.

Install update from vendor's website.

IBM Process Mining: 1.12.0.3

• cpe:2.3:a:ibm_corporation:ibm_process_mining:1.12.0.3:*:*:*:*:*:*:*

http://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jackson-databind-affects-ibm-process-mining-multiple-cves/
http://www.ibm.com/support/pages/node/6593435

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

53) Deserialization of Untrusted Data

EUVDB-ID: #VU26491

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2020-10968

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data between serialization gadgets and typing, related to org.aoju.bus.proxy.provider.remoting.RmiProvider. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install update from vendor's website.

IBM Process Mining: 1.12.0.3

• cpe:2.3:a:ibm_corporation:ibm_process_mining:1.12.0.3:*:*:*:*:*:*:*

http://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jackson-databind-affects-ibm-process-mining-multiple-cves/
http://www.ibm.com/support/pages/node/6593435

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

54) XXE attack

EUVDB-ID: #VU17777

Risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2018-14720

CWE-ID: CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')

Exploit availability: No

The disclosed vulnerability allows a remote attacker to perform XXE attacks.

The vulnerability exists due to fail to block unspecified Java Development Kit (JDK) classes from polymorphic deserialization. A remote attacker can send a specially crafted request that submits malicious input, conduct an XXE attack to access sensitive information, bypass security restrictions, or cause a denial of service (DoS) condition on the targeted system. 

Install update from vendor's website.

IBM Process Mining: 1.12.0.3

• cpe:2.3:a:ibm_corporation:ibm_process_mining:1.12.0.3:*:*:*:*:*:*:*

http://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jackson-databind-affects-ibm-process-mining-multiple-cves/
http://www.ibm.com/support/pages/node/6593435

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

55) Deserialization of Untrusted Data

EUVDB-ID: #VU29130

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2020-14062

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data related to com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (aka xalan2). A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install update from vendor's website.

IBM Process Mining: 1.12.0.3

• cpe:2.3:a:ibm_corporation:ibm_process_mining:1.12.0.3:*:*:*:*:*:*:*

http://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jackson-databind-affects-ibm-process-mining-multiple-cves/
http://www.ibm.com/support/pages/node/6593435

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

56) Information disclosure

EUVDB-ID: #VU21136

Risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2019-16335

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a polymorphic typing issue in the "com.zaxxer.hikari.HikariDataSource". A remote attacker can gain unauthorized access to sensitive information on the system.

Install update from vendor's website.

IBM Process Mining: 1.12.0.3

• cpe:2.3:a:ibm_corporation:ibm_process_mining:1.12.0.3:*:*:*:*:*:*:*

http://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jackson-databind-affects-ibm-process-mining-multiple-cves/
http://www.ibm.com/support/pages/node/6593435

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

57) Deserialization of Untrusted Data

EUVDB-ID: #VU29129

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2020-14060

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (aka apache/drill). A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install update from vendor's website.

IBM Process Mining: 1.12.0.3

• cpe:2.3:a:ibm_corporation:ibm_process_mining:1.12.0.3:*:*:*:*:*:*:*

http://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jackson-databind-affects-ibm-process-mining-multiple-cves/
http://www.ibm.com/support/pages/node/6593435

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.