IBM Tivoli Workload Scheduler XML external entity injection
CVE-2022-22486

10CRITICAL

Key Information:

Vendor: IBM
Status: Tivoli Workload Scheduler
Vendor: CVE Published:; 2 February 2023

What is CVE-2022-22486?

IBM Tivoli Workload Scheduler versions 9.4, 9.5, and 10.1 are susceptible to an XML External Entity Injection (XXE) attack, which can be exploited by a remote attacker. By sending specially crafted XML data, an attacker may gain access to sensitive information or exhaust system memory resources, leading to potential service disruptions or data breaches. This vulnerability necessitates immediate attention to mitigate risks associated with unauthorized access to data and denial of service.

Affected Version(s)

Tivoli Workload Scheduler 9.4, 9.5, 10.1

References

https://www.ibm.com/support/pages/node/6890697

vendor-advisory

https://exchange.xforce.ibmcloud.com/vulnerabilities/226328

vdb-entry

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 2, 2023
Vulnerability Reserved
Jan 3, 2022