LiveActive security incident?Get immediate response
CVE Record

CVE-2019-4483: IBM Contract Management 10.1.0 through 10.1.3 and IBM Emptoris Spend Analysis 10.1.0 through 10.1.3 is vuln...

IBM Contract Management 10.1.0 through 10.1.3 and IBM Emptoris Spend Analysis 10.1.0 through 10.1.3 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 164067.

HighCVSS 7.6Not KEV-listedUpdated
Glexia's TakeAutomated analysishigh

Security readout for executives and security teams

Plain-English summary

This is a SQL injection flaw in IBM Contract Management and IBM Emptoris Spend Analysis versions 10.1.0 through 10.1.3. A remote low-privileged attacker could manipulate back-end database queries, potentially exposing or changing business data. Treat it as high priority where these legacy IBM procurement or contract systems remain deployed.

Executive priority

Prioritize remediation if these IBM applications are still in use, especially where they hold contracts, supplier data, spend data, or commercially sensitive records. This is not presented as known exploited in the provided evidence, but the data-integrity impact justifies timely action.

Technical view

CVE-2019-4483 affects IBM Contract Management 10.1.0-10.1.3 and IBM Emptoris Spend Analysis 10.1.0-10.1.3. CVSS 3.0 is 7.6: network attack vector, low complexity, low privileges, no user interaction, high integrity impact, and low confidentiality and availability impact. IBM X-Force tracks it as ID 164067.

Likely exposure

Exposure is limited to organizations still running the affected IBM Contract Management or Emptoris Spend Analysis versions. Risk is higher if the application is reachable by broad internal networks, third parties, VPN users, or the internet, and if low-privileged accounts are easy to obtain.

Exploitation context

The provided bundle does not show CISA KEV listing or confirmed active exploitation. IBM’s CVSS vector lists exploit maturity as unproven. The practical risk remains meaningful because SQL injection can affect database-backed records and the attack is network-reachable with low privileges.

Researcher notes

The source bundle lacks endpoint details, fixed version names, CWE assignment, and proof-of-concept information. Avoid assuming exploitability beyond authenticated, low-privileged network access. Focus validation on version confirmation, vendor advisory status, access paths, and database evidence of unauthorized read or write behavior.

Mitigation direction

  • Identify any affected IBM Contract Management or Emptoris Spend Analysis deployments.
  • Review IBM’s advisory and apply the vendor-recommended fix or upgrade path.
  • Restrict application access to trusted users and networks until remediated.
  • Review database and application logs for suspicious query errors or data changes.
  • Confirm backups and recovery procedures for affected application databases.

Validation and detection

  • Inventory product names and versions across procurement and contract-management environments.
  • Compare installed versions against IBM’s affected range: 10.1.0 through 10.1.3.
  • Confirm whether IBM’s advisory remediation has been applied.
  • Check whether the application is internet, VPN, or partner accessible.
  • Review recent low-privileged account activity for unusual database-facing actions.
Prepared
Confidence
high
Sources
4

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

description · low confidence lookup

Database behavior lookup

The CVE wording references database injection or access, so collection and exfiltration review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2019-4483 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
High
CVSS
7.6 (3.0)
Known Exploited
No
Published

Vector: CVSS:3.0/UI:N/I:H/PR:L/S:U/AV:N/AC:L/C:L/A:L/RL:O/RC:C/E:U

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
0Timeline events
0ADP providers
3Source links

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
7.6CVSS 3.0HighCVSS:3.0/UI:N/I:H/PR:L/S:U/AV:N/AC:L/C:L/A:L/RL:O/RC:C/E:U2.84.7Primary CVE score

Vulnerability scoring details

Base CVSS 3.0 score

7.6High
CVSS 3.0 vector shape for CVE-2019-4483Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.0/UI:N/I:H/PR:L/S:U/AV:N/AC:L/C:L/A:L/RL:O/RC:C/E:U

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone

Source materials

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
IBMContract Management10.1.0, 10.1.3Listed
IBMEmptoris Spend Analysis10.1.0, 10.1.3Listed
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.