5.4
CVE-2019-4396
- EPSS 0.18%
- Veröffentlicht 25.10.2019 17:15:11
- Zuletzt bearbeitet 21.11.2024 04:43:33
- Quelle psirt@us.ibm.com
- CVE-Watchlists
- Unerledigt
LoginIBM Cloud Orchestrator 2.4 through 2.4.0.5 and 2.5 through 2.5.0.9 is vulnerable to HTTP response splitting attacks, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to inject arbitrary HTTP headers and cause the server to return a split response, once the URL is clicked. This would allow the attacker to perform further attacks, such as Web cache poisoning or cross-site scripting, and possibly obtain sensitive information. IBM X-Force ID: 162236.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Ibm ≫ Cloud Orchestrator SwEdition- Version >= 2.4.0.0 <= 2.4.0.5
Ibm ≫ Cloud Orchestrator SwEditionenterprise Version >= 2.4.0.0 <= 2.4.0.5
Ibm ≫ Cloud Orchestrator SwEdition- Version >= 2.5.0.0 <= 2.5.0.9
Ibm ≫ Cloud Orchestrator SwEditionenterprise Version >= 2.5.0.0 <= 2.5.0.9
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.18% | 0.396 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 5.4 | 2.3 | 2.7 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
|
| nvd@nist.gov | 3.5 | 6.8 | 2.9 |
AV:N/AC:M/Au:S/C:N/I:P/A:N
|
| psirt@us.ibm.com | 5.4 | 2.3 | 2.7 |
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
|
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.