Vulnerability Details : CVE-2019-4294
IBM DataPower Gateway 2018.4.1.0 through 2018.4.1.6, 7.6.0.0 through 7.6.0.15 and IBM MQ Appliance 8.0.0.0 through 8.0.0.12, 9.1.0.0 through 9.1.0.2, and 9.1.1 through 9.1.2 could allow a local attacker to execute arbitrary commands on the system, caused by a command injection vulnerability. IBM X-Force ID: 16188.
Products affected by CVE-2019-4294
- cpe:2.3:a:ibm:datapower_gateway:*:*:*:*:continuous_delivery:*:*:*
- IBM » Datapower GatewayVersions from including (>=) 2018.4.1.0 and up to, including, (<=) 2018.4.1.6cpe:2.3:a:ibm:datapower_gateway:*:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:datapower_gateway:*:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:mq_appliance:*:*:*:*:*:*:*:*
- IBM » Mq Appliance » LTS EditionVersions from including (>=) 9.1.0.0 and up to, including, (<=) 9.1.0.2cpe:2.3:a:ibm:mq_appliance:*:*:*:*:lts:*:*:*
- IBM » Mq Appliance » Continuous Delivery EditionVersions from including (>=) 9.1.1 and up to, including, (<=) 9.1.2cpe:2.3:a:ibm:mq_appliance:*:*:*:*:continuous_delivery:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-4294
0.04%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 8 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-4294
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.2
|
HIGH | AV:L/AC:L/Au:N/C:C/I:C/A:C |
3.9
|
10.0
|
NIST | |
8.4
|
HIGH | CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
2.5
|
5.9
|
IBM Corporation | |
7.8
|
HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
1.8
|
5.9
|
NIST |
CWE ids for CVE-2019-4294
-
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-4294
-
https://www.ibm.com/support/docview.wss?uid=ibm10887005
IBM Security Bulletin: IBM MQ Appliance is affected by a command injection vulnerability (CVE-2019-4294)Vendor Advisory
-
https://www.ibm.com/support/docview.wss?uid=ibm10958933
IBM Security Bulletin: IBM DataPower Gateway is affected by an injection vulnerability (CVE-2019-4294)Vendor Advisory
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/160701
IBM MQ code execution CVE-2019-4294 Vulnerability ReportBroken Link;VDB Entry
Jump to