Skip to main content

Cloud Orchestrator CVE-2019-4396

MEDIUM
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
2019-10-25 psirt@us.ibm.com
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Oct 25, 2019 - 17:15 nvd
MEDIUM 5.4

DescriptionNVD

IBM Cloud Orchestrator 2.4 through 2.4.0.5 and 2.5 through 2.5.0.9 is vulnerable to HTTP response splitting attacks, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to inject arbitrary HTTP headers and cause the server to return a split response, once the URL is clicked. This would allow the attacker to perform further attacks, such as Web cache poisoning or cross-site scripting, and possibly obtain sensitive information. IBM X-Force ID: 162236.

AnalysisAI

IBM Cloud Orchestrator 2.4 through 2.4.0.5 and 2.5 through 2.5.0.9 is vulnerable to HTTP response splitting attacks, caused by improper validation of user-supplied input. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified under CWE-74. IBM Cloud Orchestrator 2.4 through 2.4.0.5 and 2.5 through 2.5.0.9 is vulnerable to HTTP response splitting attacks, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to inject arbitrary HTTP headers and cause the server to return a split response, once the URL is clicked. This would allow the attacker to perform further attacks, such as Web cache poisoning or cross-site scripting, and possibly obtain sensitive information. IBM X-Force ID: 162236. Affected products include: Ibm Cloud Orchestrator. Version information: through 2.4.0.5.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2019-4399 HIGH
7.5 Oct 25

IBM Cloud Orchestrator 2.4 through 2.4.0.5 and 2.5 through 2.5.0.9 uses weaker than expected cryptographic algorithms th

CVE-2016-0204 MEDIUM
6.8 Oct 16

Open redirect vulnerability in IBM Cloud Orchestrator 2.4.x before 2.4.0 FP3 allows remote authenticated users to redire

CVE-2019-4397 MEDIUM
6.5 Oct 24

IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise 2.5 through 2.5.0.9 and 2.4 through 2.4.0.5 stores sensitiv

CVE-2016-0203 MEDIUM
5.5 Feb 08

A vulnerability has been identified in the IBM Cloud Orchestrator task API. Rated medium severity (CVSS 5.5), this vulne

CVE-2019-4461 MEDIUM
5.4 Oct 25

IBM Cloud Orchestrator 2.4 through 2.4.0.5 and 2.5 through 2.5.0.9 is vulnerable to HTTP Response Splitting caused by im

CVE-2019-4459 MEDIUM
5.4 Oct 24

IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise 2.5 through 2.5.0.9 and 2.4 through 2.4.0.5 is vulnerable t

CVE-2019-4400 MEDIUM
4.3 Oct 25

IBM Cloud Orchestrator 2.4 through 2.4.0.5 and 2.5 through 2.5.0.9 could allow a remote attacker to traverse directories

CVE-2016-0202 LOW
3.3 Feb 08

A vulnerability has been identified in tasks, backend object generated for handling any action performed by the applicat

CVE-2016-0206 LOW
3.3 Feb 08

IBM Cloud Orchestrator could allow a local authenticated attacker to cause the server to slow down for a short period of

CVE-2019-4395 LOW
3.3 Oct 25

IBM Cloud Orchestrator 2.4 through 2.4.0.5 and 2.5 through 2.5.0.9 could allow a local user to obtain sensitive informat

CVE-2019-4398 LOW
3.3 Oct 24

IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise 2.5 through 2.5.0.9 and 2.4 through 2.4.0.5 could allow a l

CVE-2015-7494 LOW
2.8 Feb 08

A vulnerability has been identified in IBM Cloud Orchestrator services/[action]/launch API. Rated low severity (CVSS 2.8

Share

CVE-2019-4396 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy