Multiple vulnerabilities in IBM VM Recovery Manager HA GUI



Published: 2022-09-19
Risk Medium
Patch available YES
Number of vulnerabilities 2
CVE-ID CVE-2020-28500
CVE-2021-23337
CWE-ID CWE-185
CWE-77
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
IBM VM Recovery Manager HA GUI
Other software / Other software solutions

Vendor IBM Corporation

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Incorrect Regular Expression

EUVDB-ID: #VU54394

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2020-28500

CWE-ID: CWE-185 - Incorrect Regular Expression

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing regular expressions. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

IBM VM Recovery Manager HA GUI: All versions


CPE2.3 External links

http://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-lodash-affects-ibm-vm-recovery-manager-ha-gui/
http://www.ibm.com/support/pages/node/6493751

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

2) Command Injection

EUVDB-ID: #VU53202

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-23337

CWE-ID: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')

Exploit availability: No

Description

The vulnerability allows a remote user to execute arbitrary commands on the system.

The vulnerability exists due to improper input validation when processing templates. A remote privileged user can inject and execute arbitrary commands on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

IBM VM Recovery Manager HA GUI: All versions


CPE2.3 External links

http://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-lodash-affects-ibm-vm-recovery-manager-ha-gui/
http://www.ibm.com/support/pages/node/6493751

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###