CVE-2019-4056 : IBM Maximo Asset Management 7.6 Work Centers' application does not validate file

IBM Maximo Asset Management 7.6 Work Centers' application does not validate file type upon upload, allowing attackers to upload malicious files. IBM X-Force ID: 156565.

Published 2019-06-06 01:29:00

Updated 2022-12-09 18:29:51

Source IBM Corporation

View at NVD, CVE.org

Products affected by CVE-2019-4056

IBM » Maximo Asset Management » Version: 7.6
cpe:2.3:a:ibm:maximo_asset_management:7.6:*:*:*:*:*:*:*
Matching versions
IBM » Smartcloud Control Desk » Version: N/A
cpe:2.3:a:ibm:smartcloud_control_desk:-:*:*:*:*:*:*:*
Matching versions
IBM » Maximo For Nuclear Power » Version: 7.6.0
cpe:2.3:a:ibm:maximo_for_nuclear_power:7.6.0:*:*:*:*:*:*:*
Matching versions
IBM » Maximo For Transportation » Version: 7.6.2.1
cpe:2.3:a:ibm:maximo_for_transportation:7.6.2.1:*:*:*:*:*:*:*
Matching versions
IBM » Maximo For Transportation » Version: 7.6.2.2
cpe:2.3:a:ibm:maximo_for_transportation:7.6.2.2:*:*:*:*:*:*:*
Matching versions
IBM » Maximo For Transportation » Version: 7.6.2.3
cpe:2.3:a:ibm:maximo_for_transportation:7.6.2.3:*:*:*:*:*:*:*
Matching versions
IBM » Maximo For Transportation » Version: 7.6.2.4
cpe:2.3:a:ibm:maximo_for_transportation:7.6.2.4:*:*:*:*:*:*:*
Matching versions
IBM » Maximo For Transportation » Version: 7.6.2
cpe:2.3:a:ibm:maximo_for_transportation:7.6.2:*:*:*:*:*:*:*
Matching versions
IBM » Maximo For Transportation » Version: 7.6.1
cpe:2.3:a:ibm:maximo_for_transportation:7.6.1:*:*:*:*:*:*:*
Matching versions
IBM » Maximo For Life Sciences » Version: 7.6
cpe:2.3:a:ibm:maximo_for_life_sciences:7.6:*:*:*:*:*:*:*
Matching versions
IBM » Maximo For Oil And Gas » Version: 7.6.0
cpe:2.3:a:ibm:maximo_for_oil_and_gas:7.6.0:*:*:*:*:*:*:*
Matching versions
IBM » Maximo For Utilities » Version: 7.6
cpe:2.3:a:ibm:maximo_for_utilities:7.6:*:*:*:*:*:*:*
Matching versions
IBM » Maximo For Aviation » Version: 7.6
cpe:2.3:a:ibm:maximo_for_aviation:7.6:*:*:*:*:*:*:*
Matching versions
IBM » Maximo For Aviation » Version: 7.6.2.1
cpe:2.3:a:ibm:maximo_for_aviation:7.6.2.1:*:*:*:*:*:*:*
Matching versions
IBM » Maximo For Aviation » Version: 7.6.1
cpe:2.3:a:ibm:maximo_for_aviation:7.6.1:*:*:*:*:*:*:*
Matching versions
IBM » Maximo For Aviation » Version: 7.6.2
cpe:2.3:a:ibm:maximo_for_aviation:7.6.2:*:*:*:*:*:*:*
Matching versions
IBM » Maximo For Aviation » Version: 7.6.3
cpe:2.3:a:ibm:maximo_for_aviation:7.6.3:*:*:*:*:*:*:*
Matching versions
IBM » Tivoli Integration Composer » Version: N/A
cpe:2.3:a:ibm:tivoli_integration_composer:-:*:*:*:*:*:*:*
Matching versions
IBM » Control Desk » Version: 7.6.0
cpe:2.3:a:ibm:control_desk:7.6.0:*:*:*:*:*:*:*
Matching versions
IBM » Control Desk » Version: 7.6.0.1
cpe:2.3:a:ibm:control_desk:7.6.0.1:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2019-4056

EPSS FAQ

0.21%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 41 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2019-4056

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.0	MEDIUM	AV:N/AC:L/Au:S/C:N/I:P/A:N	8.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: Single Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None
4.3	MEDIUM	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N	2.8	1.4	IBM Corporation
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: None Integrity: Low Availability: None
4.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N	2.8	1.4	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: None Integrity: Low Availability: None

CWE ids for CVE-2019-4056

CWE-434 Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2019-4056

https://exchange.xforce.ibmcloud.com/vulnerabilities/156565

IBM Maximo Asset Management file upload CVE-2019-4056 Vulnerability Report
VDB Entry;Vendor Advisory
https://www.ibm.com/support/docview.wss?uid=ibm10880149

IBM Security Bulletin: IBM Maximo Asset Management is vulnerable to Malicious File Upload attack (CVE-2019-4056)
Patch;Vendor Advisory

Jump to

Vulnerability Details : CVE-2019-4056

Products affected by CVE-2019-4056

Exploit prediction scoring system (EPSS) score for CVE-2019-4056

CVSS scores for CVE-2019-4056

CWE ids for CVE-2019-4056

References for CVE-2019-4056