JR59569: SECURITY APAR - CVE-2018-1674 - SQL INJECTION OCCURS IN A REST API
Direct links to fixes
Closed as program error.
CVEID: CVE-2018-1674 DESCRIPTION: IBM Business Process Manager is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. CVSS Base Score: 6.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/145109 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)
No additional information is available.
A fix that ensures user input is properly escaped when used in a SQL query is available for the latest fix pack of all supported IBM BPM releases (V184.108.40.206, V220.127.116.11, V18.104.22.168 CF02, V22.214.171.124 CF 2017.06, V126.96.36.199. CF 2018.03) and will be included in a future release of IBM Business Automation Workflow.
Reported component name
Reported component ID
NoSpecatt / Xsystem
Last modified date
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fixed component name
Fixed component ID