Risk | Medium |
Patch available | YES |
Number of vulnerabilities | 2 |
CVE-ID | CVE-2019-14322 CVE-2019-14806 |
CWE-ID | CWE-20 CWE-331 |
Exploitation vector | Network |
Public exploit | Public exploit code for vulnerability #1 is available. |
Vulnerable software Subscribe |
IBM Cloud Pak for Data System Server applications / Other server solutions |
Vendor | IBM Corporation |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
EUVDB-ID: #VU19553
Risk: Medium
CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C]
CVE-ID: CVE-2019-14322
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to access arbitrary files on the target system.
The vulnerability exists due to the "SharedDataMiddleware" mishandles drive names (such as C:) in Windows pathnames. A remote attacker can access arbitrary files on the target system.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Data System: before 2.0.2.1.IF1
CPE2.3http://www.ibm.com/support/pages/node/7136117
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
EUVDB-ID: #VU30827
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-14806
CWE-ID:
CWE-331 - Insufficient Entropy
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
Pallets Werkzeug before 0.15.3, when used with Docker, has insufficient debugger PIN randomness because Docker containers share the same machine id.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Data System: before 2.0.2.1.IF1
CPE2.3http://www.ibm.com/support/pages/node/7136117
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.