What is CVE-2021-20492?

CVE-2021-20492 is a vulnerability in IBM WebSphere Application Server and Liberty Java Batch that allows for an XML External Entity (XXE) injection attack, potentially exposing sensitive information or consuming memory resources.

Who is affected by CVE-2021-20492?

Users of IBM WebSphere Application Server versions 8.0, 8.5, 9.0, and Liberty Java Batch versions 17.0.0.3 to 21.0.0.5 are affected by CVE-2021-20492.

What is the severity of CVE-2021-20492?

CVE-2021-20492 has a severity rating of 8.2 (high).

How can an attacker exploit CVE-2021-20492?

An attacker can exploit CVE-2021-20492 by injecting malicious XML data to perform an XML External Entity (XXE) attack, potentially exposing sensitive information or consuming memory resources.

Is there a fix for CVE-2021-20492?

IBM has released security updates to address CVE-2021-20492. It is recommended to update to the latest version of IBM WebSphere Application Server or Liberty Java Batch to mitigate this vulnerability.

Vulnerability/
CVE-2021-20492

high

8.2

CWE

611

26/5/2021

16/9/2024

CVE-2021-20492: XEE

First published: Wed May 26 2021(Updated: )

IBM WebSphere Application Server 8.0, 8.5, 9.0, and Liberty Java Batch is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 197793.

Credit: psirt@us.ibm.com

Affected Software	Affected Version	How to fix
IBM Cloud Pak for Automation	<=20.0.3-IF002
IBM Cloud Pak for Automation	<=21.0.1
Ibm Websphere Application Server	>=8.0.0.0<=8.0.0.15
Ibm Websphere Application Server	>=8.5.0.0<=8.5.5.19
Ibm Websphere Application Server	>=9.0.0.0<=9.0.5.7
Ibm Websphere Application Server	>=17.0.0.3<=21.0.0.5

Remedy

https://www.ibm.com/support/pages/node/6456017

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

IBM-6465127

Frequently Asked Questions

What is CVE-2021-20492?
CVE-2021-20492 is a vulnerability in IBM WebSphere Application Server and Liberty Java Batch that allows for an XML External Entity (XXE) injection attack, potentially exposing sensitive information or consuming memory resources.
Who is affected by CVE-2021-20492?
Users of IBM WebSphere Application Server versions 8.0, 8.5, 9.0, and Liberty Java Batch versions 17.0.0.3 to 21.0.0.5 are affected by CVE-2021-20492.
What is the severity of CVE-2021-20492?
CVE-2021-20492 has a severity rating of 8.2 (high).
How can an attacker exploit CVE-2021-20492?
An attacker can exploit CVE-2021-20492 by injecting malicious XML data to perform an XML External Entity (XXE) attack, potentially exposing sensitive information or consuming memory resources.
Is there a fix for CVE-2021-20492?
IBM has released security updates to address CVE-2021-20492. It is recommended to update to the latest version of IBM WebSphere Application Server or Liberty Java Batch to mitigate this vulnerability.

collector/nvd-index
agent/type
agent/softwarecombine
collector/mitre-cve
source/MITRE
agent/last-modified-date
agent/severity
agent/references
agent/weakness
agent/remedy
agent/author
agent/tags
agent/description
agent/event
agent/first-publish-date
collector/ibm-support
source/IBM
agent/software-canonical-lookup
vendor/ibm
canonical/ibm websphere application server
version/ibm websphere application server/8.0.0.0
version/ibm websphere application server/8.0.0.15
version/ibm websphere application server/8.5.0.0
version/ibm websphere application server/8.5.5.19
version/ibm websphere application server/9.0.0.0
version/ibm websphere application server/9.0.5.7
version/ibm websphere application server/17.0.0.3
version/ibm websphere application server/21.0.0.5
canonical/ibm cloud pak for automation
version/ibm cloud pak for automation/20.0.3-if002
version/ibm cloud pak for automation/21.0.1