CVE-2020-4949: XEE
First published: Tue Jan 26 2021(Updated: )
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 192025.
Credit: psirt@us.ibm.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Ibm Websphere Application Server | >=7.0.0.0<=7.0.0.45 | |
| Ibm Websphere Application Server | >=8.0.0.0<=8.0.0.15 | |
| Ibm Websphere Application Server | >=8.5.0.0<=8.5.5.18 | |
| Ibm Websphere Application Server | >=9.0.0.0<=9.0.5.6 | |
| HP HP-UX | ||
| IBM AIX | ||
| IBM i | ||
| Ibm Z\/os | ||
| Linux Linux kernel | ||
| Microsoft Windows | ||
| Oracle Solaris |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2020-4949?
The severity of CVE-2020-4949 is high with a CVSS score of 8.2.
How does CVE-2020-4949 affect IBM WebSphere Application Server?
CVE-2020-4949 affects IBM WebSphere Application Server versions 7.0, 8.0, 8.5, and 9.0 by making them vulnerable to an XML External Entity Injection (XXE) attack.
What is an XML External Entity Injection (XXE) attack?
XML External Entity Injection (XXE) attack is a type of attack where an attacker can exploit vulnerabilities in XML input parsers to disclose internal files or execute remote code.
What are the potential impacts of CVE-2020-4949?
CVE-2020-4949 can potentially expose sensitive information or consume memory resources on the affected IBM WebSphere Application Server.
How can I fix CVE-2020-4949?
To fix CVE-2020-4949, it is recommended to apply the latest security patches provided by IBM for affected versions of WebSphere Application Server.
- agent/references
- agent/type
- agent/last-modified-date
- agent/first-publish-date
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/severity
- agent/author
- agent/remedy
- agent/weakness
- agent/softwarecombine
- agent/tags
- agent/description
- agent/event
- collector/mitre-cve
- source/MITRE
- vendor/ibm
- canonical/ibm websphere application server
- version/ibm websphere application server/7.0.0.0
- version/ibm websphere application server/7.0.0.45
- version/ibm websphere application server/8.0.0.0
- version/ibm websphere application server/8.0.0.15
- version/ibm websphere application server/8.5.0.0
- version/ibm websphere application server/8.5.5.18
- version/ibm websphere application server/9.0.0.0
- version/ibm websphere application server/9.0.5.6
- vendor/hp
- canonical/hp hp-ux
- canonical/ibm aix
- canonical/ibm i
- canonical/ibm z\/os
- vendor/linux
- canonical/linux linux kernel
- vendor/microsoft
- canonical/microsoft windows
- vendor/oracle
- canonical/oracle solaris