<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1462084720533760&amp;ev=PageView&amp;noscript=1">
vulnerability report

CVE-2020-4949: IBM WebSphere Application Server - XXE attack

Virsec Security Research Lab Vulnerability Analysis

The Virsec Security Research Lab provides timely, relevant analysis about recent and notable security vulnerabilities.

1.1        Vulnerability Summary

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. 

CVE-2020-4949

Watch the video to learn more about this and other important vulnerabilities.

1.2        CVSS Score

The CVSS Base score of this vulnerability is 8.2 High as per NVD. CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L

1.3        Affected Version

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0

1.4        Vulnerability Attribution

These vulnerabilities were discovered and reported by IBM Corporation.

1.5        Risk Impact

WebSphere Application Server is a software product that performs the role of a web application server. More specifically, it is a software framework and middleware that hosts Java-based web applications. It is the flagship product within IBM's WebSphere software suite.

Per this website WebSphere is used heavily by top enterprises as below:

 Using IBM WebSphere

Exploiting this vulnerability can lead to exfiltration of sensitive data via an XXE attack and can facilitate lateral movement between workloads. There are no publicly available exploits.

1.6        Virsec Security Platform (VSP) Support:

VSP-APG has capability that can detect XXE attacks and prevent this attack from being exploited.

 

1.7        Reference Links:

Download the full vulnerability report to learn more about this and other important vulnerabilities.

Do you have a request for a vulnerability Virsec Security Research Lab to explore? Let us know!