Risk | High |
Patch available | YES |
Number of vulnerabilities | 10 |
CVE-ID | CVE-2022-23307 CVE-2020-9493 CVE-2021-27568 CVE-2021-37136 CVE-2021-37137 CVE-2020-9492 CVE-2019-0205 CVE-2018-11793 CVE-2015-5237 CVE-2023-29017 CVE-2023-28154 |
CWE-ID | CWE-502 CWE-20 CWE-400 CWE-264 CWE-835 CWE-399 CWE-122 CWE-913 CWE-284 |
Exploitation vector | Network |
Public exploit | Public exploit code for vulnerability #9 is available. |
Vulnerable software Subscribe |
IBM Cloud Pak for Watson AIOps Other software / Other software solutions |
Vendor | IBM Corporation |
Security Bulletin
This security bulletin contains information about 10 vulnerabilities.
EUVDB-ID: #VU59693
Risk: High
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-23307,CVE-2020-9493
CWE-ID:
CWE-502 - Deserialization of Untrusted Data
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Watson AIOps : before 3.7.1
External linkshttp://www.ibm.com/support/pages/node/6986577
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU55372
Risk: High
CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-27568
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read data or crash the application.
The vulnerability exists due to improper input validation within the REST Services (netplex json-smart-v1) component in PeopleSoft Enterprise PeopleTools. A remote non-authenticated attacker can exploit this vulnerability to read data or crash the application.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Watson AIOps : before 3.7.1
External linkshttp://www.ibm.com/support/pages/node/6986577
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU63127
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-37136
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources in Bzip2 decompression decoder function. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Watson AIOps : before 3.7.1
External linkshttp://www.ibm.com/support/pages/node/6986577
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU59924
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-37137
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the Content Acquisition System (Netty) component in Oracle Commerce Guided Search. A remote non-authenticated attacker can exploit this vulnerability to perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Watson AIOps : before 3.7.1
External linkshttp://www.ibm.com/support/pages/node/6986577
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU50000
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-9492
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to escalate privileges on the system.
The vulnerability exists due to the way Apache Hadoop handles SPNEGO authorization headers. A remote WebHDFS client can trigger services to send server credentials to a webhdfs path for capturing the service principal.
Install update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Watson AIOps : before 3.7.1
External linkshttp://www.ibm.com/support/pages/node/6986577
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU22565
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-0205
CWE-ID:
CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop when processing user-supplied input. A remote attacker can pass malicious input to the application and consume all available system resources or cause denial of service conditions.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Watson AIOps : before 3.7.1
External linkshttp://www.ibm.com/support/pages/node/6986577
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU17911
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-11793
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to incorrect processing of nested data within a JSON array. A remote unauthenticated attacker can supply a specially crafted JSON array, overflow the stack due to unbounded recursion and perform denial of service (DoS) attack,
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Watson AIOps : before 3.7.1
External linkshttp://www.ibm.com/support/pages/node/6986577
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU70097
Risk: High
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2015-5237
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error. A remote attacker can pass specially crafted data to the application, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Watson AIOps : before 3.7.1
External linkshttp://www.ibm.com/support/pages/node/6986577
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU74606
Risk: High
CVSSv3.1: 8.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2023-29017
CWE-ID:
CWE-913 - Improper Control of Dynamically-Managed Code Resources
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to escape sandbox restrictions.
The vulnerability exists due to improper handling of host objects passed to "Error.prepareStackTrace" in case of unhandled async errors. A remote attacker can pass specially crafted input to the application, escape sandbox restrictions and execute arbitrary code on the host.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Watson AIOps : before 3.7.1
External linkshttp://www.ibm.com/support/pages/node/6986577
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
EUVDB-ID: #VU74478
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-28154
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions on cross-realm objects in ImportParserPlugin.js. A remote attacker who controls a property of an untrusted object can obtain access to the real global object.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Watson AIOps : before 3.7.1
External linkshttp://www.ibm.com/support/pages/node/6986577
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.