cnvd - cnvd-2019-31128

CNVD-2019-31128

Vulnerability from cnvd - Published: 2019-09-11

Title

IBM Emptoris Spend Analysis信息泄露漏洞

Description

IBM Emptoris Spend Analysis是美国IBM公司的一套采购解决方案中的用于对分散系统的支出数据进行整合、清理和分类的产品。 IBM Emptoris Spend Analysis 10.1.0版本至10.1.3版本中存在信息泄露漏洞，该漏洞源于程序所产生的错误消息中含有敏感信息，攻击者可利用该漏洞获取敏感信息。

Severity

中

Patch Name

IBM Emptoris Spend Analysis信息泄露漏洞的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://www-01.ibm.com/support/docview.wss?uid=ibm10880221

Reference

https://nvd.nist.gov/vuln/detail/CVE-2019-4485

Impacted products

Name
IBM Emptoris Spend Analysis >=10.1.0，<=10.1.3

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2019-4485",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2019-4485"
    }
  },
  "description": "IBM Emptoris Spend Analysis\u662f\u7f8e\u56fdIBM\u516c\u53f8\u7684\u4e00\u5957\u91c7\u8d2d\u89e3\u51b3\u65b9\u6848\u4e2d\u7684\u7528\u4e8e\u5bf9\u5206\u6563\u7cfb\u7edf\u7684\u652f\u51fa\u6570\u636e\u8fdb\u884c\u6574\u5408\u3001\u6e05\u7406\u548c\u5206\u7c7b\u7684\u4ea7\u54c1\u3002\n\nIBM Emptoris Spend Analysis 10.1.0\u7248\u672c\u81f310.1.3\u7248\u672c\u4e2d\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u6240\u4ea7\u751f\u7684\u9519\u8bef\u6d88\u606f\u4e2d\u542b\u6709\u654f\u611f\u4fe1\u606f\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u654f\u611f\u4fe1\u606f\u3002",
  "discovererName": "unknown",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://www-01.ibm.com/support/docview.wss?uid=ibm10880221",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2019-31128",
  "openTime": "2019-09-11",
  "patchDescription": "IBM Emptoris Spend Analysis\u662f\u7f8e\u56fdIBM\u516c\u53f8\u7684\u4e00\u5957\u91c7\u8d2d\u89e3\u51b3\u65b9\u6848\u4e2d\u7684\u7528\u4e8e\u5bf9\u5206\u6563\u7cfb\u7edf\u7684\u652f\u51fa\u6570\u636e\u8fdb\u884c\u6574\u5408\u3001\u6e05\u7406\u548c\u5206\u7c7b\u7684\u4ea7\u54c1\u3002\r\n\r\nIBM Emptoris Spend Analysis 10.1.0\u7248\u672c\u81f310.1.3\u7248\u672c\u4e2d\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u6240\u4ea7\u751f\u7684\u9519\u8bef\u6d88\u606f\u4e2d\u542b\u6709\u654f\u611f\u4fe1\u606f\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u654f\u611f\u4fe1\u606f\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "IBM Emptoris Spend Analysis\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "IBM Emptoris Spend Analysis \u003e=10.1.0\uff0c\u003c=10.1.3"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2019-4485",
  "serverity": "\u4e2d",
  "submitTime": "2019-08-21",
  "title": "IBM Emptoris Spend Analysis\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e"
}

CVE-2019-4485 (GCVE-0-2019-4485)

Vulnerability from cvelistv5 – Published: 2019-08-20 18:25 – Updated: 2024-09-17 01:50

Summary

IBM Emptoris Sourcing 10.1.0 through 10.1.3, IBM Contract Management 10.1.0 through 10.1.3, and IBM Emptoris Spend Analysis 10.1.0 through 10.1.3 generates an error message that includes sensitive information that could be used in further attacks against the system. IBM X-Force ID: 164069.

Severity ?

4.3 (Medium)


                        
                          CVSS:3.0/UI:N/PR:L/I:N/S:U/AV:N/AC:L/C:L/A:N/E:U/RC:C/RL:O

CWE

Obtain Information

Assigner

ibm

References

URL

Tags

	https://www.ibm.com/support/docview.wss?uid=ibm10880221	x_refsource_CONFIRM
	https://exchange.xforce.ibmcloud.com/vulnerabilit…	vdb-entryx_refsource_XF

Impacted products

Vendor

Product

Version

IBM

Contract Management

Affected: 10.1.0
Affected: 10.1.3

	IBM	Emptoris Spend Analysis	Affected: 10.1.0 Affected: 10.1.3
	IBM	Emptoris Sourcing	Affected: 10.1.0 Affected: 10.1.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T19:40:47.396Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.ibm.com/support/docview.wss?uid=ibm10880221"
          },
          {
            "name": "ibm-emptoris-cve20194485-info-disc (164069)",
            "tags": [
              "vdb-entry",
              "x_refsource_XF",
              "x_transferred"
            ],
            "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/164069"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Contract Management",
          "vendor": "IBM",
          "versions": [
            {
              "status": "affected",
              "version": "10.1.0"
            },
            {
              "status": "affected",
              "version": "10.1.3"
            }
          ]
        },
        {
          "product": "Emptoris Spend Analysis",
          "vendor": "IBM",
          "versions": [
            {
              "status": "affected",
              "version": "10.1.0"
            },
            {
              "status": "affected",
              "version": "10.1.3"
            }
          ]
        },
        {
          "product": "Emptoris Sourcing",
          "vendor": "IBM",
          "versions": [
            {
              "status": "affected",
              "version": "10.1.0"
            },
            {
              "status": "affected",
              "version": "10.1.3"
            }
          ]
        }
      ],
      "datePublic": "2019-08-13T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "IBM Emptoris Sourcing 10.1.0 through 10.1.3, IBM Contract Management 10.1.0 through 10.1.3, and IBM Emptoris Spend Analysis 10.1.0 through 10.1.3 generates an error message that includes sensitive information that could be used in further attacks against the system. IBM X-Force ID: 164069."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "exploitCodeMaturity": "UNPROVEN",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "remediationLevel": "OFFICIAL_FIX",
            "reportConfidence": "CONFIRMED",
            "scope": "UNCHANGED",
            "temporalScore": 3.8,
            "temporalSeverity": "LOW",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/UI:N/PR:L/I:N/S:U/AV:N/AC:L/C:L/A:N/E:U/RC:C/RL:O",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Obtain Information",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-08-20T18:25:27",
        "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "shortName": "ibm"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.ibm.com/support/docview.wss?uid=ibm10880221"
        },
        {
          "name": "ibm-emptoris-cve20194485-info-disc (164069)",
          "tags": [
            "vdb-entry",
            "x_refsource_XF"
          ],
          "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/164069"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@us.ibm.com",
          "DATE_PUBLIC": "2019-08-13T00:00:00",
          "ID": "CVE-2019-4485",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Contract Management",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "10.1.0"
                          },
                          {
                            "version_value": "10.1.3"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "Emptoris Spend Analysis",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "10.1.0"
                          },
                          {
                            "version_value": "10.1.3"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "Emptoris Sourcing",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "10.1.0"
                          },
                          {
                            "version_value": "10.1.3"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "IBM"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "IBM Emptoris Sourcing 10.1.0 through 10.1.3, IBM Contract Management 10.1.0 through 10.1.3, and IBM Emptoris Spend Analysis 10.1.0 through 10.1.3 generates an error message that includes sensitive information that could be used in further attacks against the system. IBM X-Force ID: 164069."
            }
          ]
        },
        "impact": {
          "cvssv3": {
            "BM": {
              "A": "N",
              "AC": "L",
              "AV": "N",
              "C": "L",
              "I": "N",
              "PR": "L",
              "S": "U",
              "UI": "N"
            },
            "TM": {
              "E": "U",
              "RC": "C",
              "RL": "O"
            }
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Obtain Information"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.ibm.com/support/docview.wss?uid=ibm10880221",
              "refsource": "CONFIRM",
              "title": "IBM Security Bulletin 880221 (Emptoris Sourcing)",
              "url": "https://www.ibm.com/support/docview.wss?uid=ibm10880221"
            },
            {
              "name": "ibm-emptoris-cve20194485-info-disc (164069)",
              "refsource": "XF",
              "title": "X-Force Vulnerability Report",
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/164069"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
    "assignerShortName": "ibm",
    "cveId": "CVE-2019-4485",
    "datePublished": "2019-08-20T18:25:27.111414Z",
    "dateReserved": "2019-01-03T00:00:00",
    "dateUpdated": "2024-09-17T01:50:37.798Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2019-31128

CVE-2019-4485 (GCVE-0-2019-4485)

Tags

Sightings

Nomenclature