CVE-2019-4732 : IBM SDK, Java Technology Edition Version 7.0.0.0 through 7.0.10.55, 7.1.0.0 thro

IBM SDK, Java Technology Edition Version 7.0.0.0 through 7.0.10.55, 7.1.0.0 through 7.1.4.55, and 8.0.0.0 through 8.0.6.0 could allow a local authenticated attacker to execute arbitrary code on the system, caused by DLL search order hijacking vulnerability in Microsoft Windows client. By placing a specially-crafted file in a compromised folder, an attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-Force ID: 172618.

Published 2020-02-03 17:15:15

Updated 2020-02-06 18:24:35

Source IBM Corporation

View at NVD, CVE.org

Vulnerability category: File inclusionExecute code

Products affected by CVE-2019-4732

IBM » Websphere Application Server » Version: 7.0
cpe:2.3:a:ibm:websphere_application_server:7.0:*:*:*:*:*:*:*
Matching versions
IBM » Websphere Application Server » Version: 8.0
cpe:2.3:a:ibm:websphere_application_server:8.0:*:*:*:*:*:*:*
Matching versions
IBM » Websphere Application Server » Version: 9.0
cpe:2.3:a:ibm:websphere_application_server:9.0:*:*:*:*:*:*:*
Matching versions
IBM » Websphere Application Server » Version: 8.5
cpe:2.3:a:ibm:websphere_application_server:8.5:*:*:*:*:*:*:*
Matching versions
IBM » SDK » Java Technology Edition
Versions from including (>=) 8.0.0.0 and up to, including, (<=) 8.0.6.0
cpe:2.3:a:ibm:sdk:*:*:*:*:java_technology:*:*:*
Matching versions
When used together with: Microsoft » Windows » Version: N/A
IBM » SDK » Java Technology Edition
Versions from including (>=) 7.0.0.0 and up to, including, (<=) 7.0.10.55
cpe:2.3:a:ibm:sdk:*:*:*:*:java_technology:*:*:*
Matching versions
When used together with: Microsoft » Windows » Version: N/A
IBM » SDK » Java Technology Edition
Versions from including (>=) 7.1.0.0 and up to, including, (<=) 7.1.4.55
cpe:2.3:a:ibm:sdk:*:*:*:*:java_technology:*:*:*
Matching versions
When used together with: Microsoft » Windows » Version: N/A

Threat overview for CVE-2019-4732

Top countries where our scanners detected CVE-2019-4732

Top open port discovered on systems with this issue 9080

IPs affected by CVE-2019-4732 614

Threat actors abusing to this issue? Yes

Find out if you^* are affected by CVE-2019-4732!

^*Directly or indirectly through your vendors, service providers and 3rd parties. Powered by attack surface intelligence from SecurityScorecard.

Exploit prediction scoring system (EPSS) score for CVE-2019-4732

EPSS FAQ

0.16%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 38 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2019-4732

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.9	MEDIUM	AV:L/AC:M/Au:N/C:C/I:C/A:C	3.4	10.0	NIST
Access Vector: Local Access Complexity: Medium Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete
7.2	HIGH	CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H	0.6	6.0	IBM Corporation
Attack Vector: Local Attack Complexity: High Privileges Required: High User Interaction: Required Scope: Changed Confidentiality: High Integrity: High Availability: High
6.5	MEDIUM	CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H	0.6	5.9	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: High User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2019-4732

CWE-426 Untrusted Search Path

The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2019-4732

https://www.ibm.com/support/pages/node/1288060

Security Bulletin: Multiple vulnerabilities may affect IBM® SDK, Java™ Technology Edition
Vendor Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/172618

IBM Java code execution CVE-2019-4732 Vulnerability Report
VDB Entry;Vendor Advisory