CVE-2020-4893 : IBM Emptoris Strategic Supply Management 10.1.0, 10.1.1, and 10.1.3 transmits se

IBM Emptoris Strategic Supply Management 10.1.0, 10.1.1, and 10.1.3 transmits sensitive information in HTTP GET request parameters. This may lead to information disclosure via man in the middle methods. IBM X-Force ID: 190984.

Published 2021-01-07 18:15:13

Updated 2021-01-08 19:56:38

Source IBM Corporation

View at NVD, CVE.org

Vulnerability category: Information leak

Products affected by CVE-2020-4893

IBM » Emptoris Strategic Supply Management
Versions from including (>=) 10.1.3.0 and before (<) 10.1.3.30
cpe:2.3:a:ibm:emptoris_strategic_supply_management:*:*:*:*:*:*:*:*
Matching versions
IBM » Emptoris Strategic Supply Management
Versions from including (>=) 10.1.0.0 and before (<) 10.1.0.38
cpe:2.3:a:ibm:emptoris_strategic_supply_management:*:*:*:*:*:*:*:*
Matching versions
IBM » Emptoris Strategic Supply Management
Versions from including (>=) 10.1.1.0 and before (<) 10.1.1.35
cpe:2.3:a:ibm:emptoris_strategic_supply_management:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2020-4893

EPSS FAQ

0.10%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 24 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2020-4893

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.3	MEDIUM	AV:N/AC:M/Au:N/C:P/I:N/A:N	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None
5.9	MEDIUM	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N	2.2	3.6	IBM Corporation
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None
5.9	MEDIUM	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N	2.2	3.6	NIST
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None

CWE ids for CVE-2020-4893

CWE-319 Cleartext Transmission of Sensitive Information

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2020-4893

https://www.ibm.com/support/pages/node/6398282

Security Bulletin: Forced Submit Using GET Vulnerability Affects IBM Emptoris Strategic Supply Management Platform (CVE-2020-4893)
Patch;Vendor Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/190984

IBM Emptoris Strategic Supply Management information disclosure CVE-2020-4893 Vulnerability Report
VDB Entry;Vendor Advisory

Jump to

Vulnerability Details : CVE-2020-4893

Products affected by CVE-2020-4893

Exploit prediction scoring system (EPSS) score for CVE-2020-4893

CVSS scores for CVE-2020-4893

CWE ids for CVE-2020-4893

References for CVE-2020-4893