Severity
Medium
Analysis Summary
CVE-2021-29737
IBM InfoSphere Data Flow Designer Engine (IBM InfoSphere Information Server 11.7 ) component has improper validation of the REST API server certificate.
CVE-2021-29738
IBM InfoSphere Data Flow Designer (IBM InfoSphere Information Server 11.7 ) is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.
CVE-2021-29771
IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVE-2021-29875
IBM InfoSphere Information Server 11.7 could allow an attacker to obtain sensitive information due to a insecure third-party domain access vulnerability.
CVE-2021-29888
IBM InfoSphere Information Server 11.7 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.
CVE-2021-38948
IBM InfoSphere Information Server 11.7 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.
Impact
- Information Disclosure
- Unauthorized Access
- Cross-Site Scripting
- Exposure of Sensitive Data
Affected Vendors
- IBM
Affected Products
- IBM InfoSphere Information Server 11.7
Remediation
Refer to IBM Security Bulletin for patch, upgrade, or suggested workaround information.
CVE-2021-29737
CVE-2021-29738
CVE-2021-29771
CVE-2021-29875
CVE-2021-29888
CVE-2021-38948