cnvd - cnvd-2019-32434

CNVD-2019-32434

Vulnerability from cnvd - Published: 2019-09-18

Title

IBM Emptoris Sourcing信息泄露漏洞（CNVD-2019-32434）

Description

IBM Emptoris Sourcing是美国IBM公司的一套基于Web的企业采购流程管理解决方案。 IBM Emptoris Sourcing存在信息泄露漏洞。攻击者可利用该漏洞获取错误消息中的敏感信息。

Severity

中

Patch Name

IBM Emptoris Sourcing信息泄露漏洞（CNVD-2019-32434）的补丁

Patch Description

IBM Emptoris Sourcing是美国IBM公司的一套基于Web的企业采购流程管理解决方案。 IBM Emptoris Sourcing存在信息泄露漏洞。攻击者可利用该漏洞获取错误消息中的敏感信息。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://www-01.ibm.com/support/docview.wss?uid=ibm10880221

Reference

https://nvd.nist.gov/vuln/detail/CVE-2019-4308

Impacted products

Name
IBM IBM Emptoris Sourcing >=10.1.0，<=10.1.3

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2019-4308",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2019-4308"
    }
  },
  "description": "IBM Emptoris Sourcing\u662f\u7f8e\u56fdIBM\u516c\u53f8\u7684\u4e00\u5957\u57fa\u4e8eWeb\u7684\u4f01\u4e1a\u91c7\u8d2d\u6d41\u7a0b\u7ba1\u7406\u89e3\u51b3\u65b9\u6848\u3002\n\nIBM Emptoris Sourcing\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u9519\u8bef\u6d88\u606f\u4e2d\u7684\u654f\u611f\u4fe1\u606f\u3002",
  "discovererName": "unknown",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://www-01.ibm.com/support/docview.wss?uid=ibm10880221",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2019-32434",
  "openTime": "2019-09-18",
  "patchDescription": "IBM Emptoris Sourcing\u662f\u7f8e\u56fdIBM\u516c\u53f8\u7684\u4e00\u5957\u57fa\u4e8eWeb\u7684\u4f01\u4e1a\u91c7\u8d2d\u6d41\u7a0b\u7ba1\u7406\u89e3\u51b3\u65b9\u6848\u3002\r\n\r\nIBM Emptoris Sourcing\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u9519\u8bef\u6d88\u606f\u4e2d\u7684\u654f\u611f\u4fe1\u606f\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "IBM Emptoris Sourcing\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff08CNVD-2019-32434\uff09\u7684\u8865\u4e01",
  "products": {
    "product": "IBM IBM Emptoris Sourcing \u003e=10.1.0\uff0c\u003c=10.1.3"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2019-4308",
  "serverity": "\u4e2d",
  "submitTime": "2019-08-22",
  "title": "IBM Emptoris Sourcing\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff08CNVD-2019-32434\uff09"
}

CVE-2019-4308 (GCVE-0-2019-4308)

Vulnerability from cvelistv5 – Published: 2019-08-20 18:25 – Updated: 2024-09-17 00:40

Summary

IBM Emptoris Sourcing 10.1.0 through 10.1.3, IBM Contract Management 10.1.0 through 10.1.3, and IBM Emptoris Spend Analysis 10.1.0 through 10.1.3 could allow an authenticated user to obtain sensitive information from error messages IBM X-Force ID: 161034.

Severity ?

4.3 (Medium)


                        
                          CVSS:3.0/AV:N/S:U/PR:L/I:N/UI:N/A:N/C:L/AC:L/E:U/RC:C/RL:O

CWE

Obtain Information

Assigner

ibm

References

URL

Tags

	https://www.ibm.com/support/docview.wss?uid=ibm10880221	x_refsource_CONFIRM
	https://exchange.xforce.ibmcloud.com/vulnerabilit…	vdb-entryx_refsource_XF

Impacted products

Vendor

Product

Version

IBM

Emptoris Sourcing

Affected: 10.1.0
Affected: 10.1.3

	IBM	Contract Management	Affected: 10.1.0 Affected: 10.1.3
	IBM	Emptoris Spend Analysis	Affected: 10.1.0 Affected: 10.1.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T19:33:37.901Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.ibm.com/support/docview.wss?uid=ibm10880221"
          },
          {
            "name": "ibm-emptoris-cve20194308-info-disc (161034)",
            "tags": [
              "vdb-entry",
              "x_refsource_XF",
              "x_transferred"
            ],
            "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/161034"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Emptoris Sourcing",
          "vendor": "IBM",
          "versions": [
            {
              "status": "affected",
              "version": "10.1.0"
            },
            {
              "status": "affected",
              "version": "10.1.3"
            }
          ]
        },
        {
          "product": "Contract Management",
          "vendor": "IBM",
          "versions": [
            {
              "status": "affected",
              "version": "10.1.0"
            },
            {
              "status": "affected",
              "version": "10.1.3"
            }
          ]
        },
        {
          "product": "Emptoris Spend Analysis",
          "vendor": "IBM",
          "versions": [
            {
              "status": "affected",
              "version": "10.1.0"
            },
            {
              "status": "affected",
              "version": "10.1.3"
            }
          ]
        }
      ],
      "datePublic": "2019-08-13T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "IBM Emptoris Sourcing 10.1.0 through 10.1.3, IBM Contract Management 10.1.0 through 10.1.3, and IBM Emptoris Spend Analysis 10.1.0 through 10.1.3 could allow an authenticated user to obtain sensitive information from error messages IBM X-Force ID: 161034."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "exploitCodeMaturity": "UNPROVEN",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "remediationLevel": "OFFICIAL_FIX",
            "reportConfidence": "CONFIRMED",
            "scope": "UNCHANGED",
            "temporalScore": 3.8,
            "temporalSeverity": "LOW",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/S:U/PR:L/I:N/UI:N/A:N/C:L/AC:L/E:U/RC:C/RL:O",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Obtain Information",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-08-20T18:25:26",
        "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "shortName": "ibm"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.ibm.com/support/docview.wss?uid=ibm10880221"
        },
        {
          "name": "ibm-emptoris-cve20194308-info-disc (161034)",
          "tags": [
            "vdb-entry",
            "x_refsource_XF"
          ],
          "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/161034"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@us.ibm.com",
          "DATE_PUBLIC": "2019-08-13T00:00:00",
          "ID": "CVE-2019-4308",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Emptoris Sourcing",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "10.1.0"
                          },
                          {
                            "version_value": "10.1.3"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "Contract Management",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "10.1.0"
                          },
                          {
                            "version_value": "10.1.3"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "Emptoris Spend Analysis",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "10.1.0"
                          },
                          {
                            "version_value": "10.1.3"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "IBM"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "IBM Emptoris Sourcing 10.1.0 through 10.1.3, IBM Contract Management 10.1.0 through 10.1.3, and IBM Emptoris Spend Analysis 10.1.0 through 10.1.3 could allow an authenticated user to obtain sensitive information from error messages IBM X-Force ID: 161034."
            }
          ]
        },
        "impact": {
          "cvssv3": {
            "BM": {
              "A": "N",
              "AC": "L",
              "AV": "N",
              "C": "L",
              "I": "N",
              "PR": "L",
              "S": "U",
              "UI": "N"
            },
            "TM": {
              "E": "U",
              "RC": "C",
              "RL": "O"
            }
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Obtain Information"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.ibm.com/support/docview.wss?uid=ibm10880221",
              "refsource": "CONFIRM",
              "title": "IBM Security Bulletin 880221 (Emptoris Sourcing)",
              "url": "https://www.ibm.com/support/docview.wss?uid=ibm10880221"
            },
            {
              "name": "ibm-emptoris-cve20194308-info-disc (161034)",
              "refsource": "XF",
              "title": "X-Force Vulnerability Report",
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/161034"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
    "assignerShortName": "ibm",
    "cveId": "CVE-2019-4308",
    "datePublished": "2019-08-20T18:25:26.552896Z",
    "dateReserved": "2019-01-03T00:00:00",
    "dateUpdated": "2024-09-17T00:40:47.653Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2019-32434

CVE-2019-4308 (GCVE-0-2019-4308)

Tags

Sightings

Nomenclature