Risk | High |
Patch available | YES |
Number of vulnerabilities | 3 |
CVE-ID | CVE-2022-37599 CVE-2022-37601 CVE-2022-37603 |
CWE-ID | CWE-185 CWE-94 |
Exploitation vector | Network |
Public exploit | N/A |
Vulnerable software Subscribe |
DB2 on Cloud Pak for Data Other software / Other software solutions DB2 Warehouse on Cloud Pak for Data Other software / Other software solutions |
Vendor | IBM Corporation |
This security bulletin contains information about 3 vulnerabilities.
EUVDB-ID: #VU70122
Risk: Medium
CVSSv3.1:
CVE-ID: CVE-2022-37599
CWE-ID:
CWE-185 - Incorrect Regular Expression
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input passed via the resourcePath variable to interpolateName() function in interpolateName.js. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack. MitigationInstall update from vendor's website.
Vulnerable software versionsDB2 on Cloud Pak for Data: before 4.6.2
DB2 Warehouse on Cloud Pak for Data: before 4.6.2
http://www.ibm.com/support/pages/node/6890703
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?
EUVDB-ID: #VU70123
Risk: High
CVSSv3.1:
CVE-ID: CVE-2022-37601
CWE-ID:
CWE-94 - Improper Control of Generation of Code ('Code Injection')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform prototype pollution attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data within the parseQuery() function in parseQuery.js. A remote attacker can inject and execute arbitrary JavaScript code.
Install update from vendor's website.
Vulnerable software versionsDB2 on Cloud Pak for Data: before 4.6.2
DB2 Warehouse on Cloud Pak for Data: before 4.6.2
http://www.ibm.com/support/pages/node/6890703
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?
EUVDB-ID: #VU70121
Risk: Medium
CVSSv3.1:
CVE-ID: CVE-2022-37603
CWE-ID:
CWE-185 - Incorrect Regular Expression
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient input validation when processing URL within the interpolateName() function in interpolateName.js. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.
Install update from vendor's website.
Vulnerable software versionsDB2 on Cloud Pak for Data: before 4.6.2
DB2 Warehouse on Cloud Pak for Data: before 4.6.2
http://www.ibm.com/support/pages/node/6890703
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?