Risk | Medium |
Patch available | YES |
Number of vulnerabilities | 5 |
CVE-ID | CVE-2022-41940 CVE-2022-21676 CVE-2021-34141 CVE-2022-24302 CVE-2021-37533 |
CWE-ID | CWE-248 CWE-754 CWE-697 CWE-362 CWE-345 |
Exploitation vector | Network |
Public exploit | N/A |
Vulnerable software Subscribe |
Cloud Pak for Security (CP4S) Client/Desktop applications / Other client software |
Vendor | IBM Corporation |
Security Bulletin
This security bulletin contains information about 5 vulnerabilities.
EUVDB-ID: #VU77489
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-41940
CWE-ID:
CWE-248 - Uncaught Exception
Exploit availability: No
DescriptionThe vulnerability allows a remote user to perform denial of service attacks.
The vulnerability exists due to an uncaught exception. A remote user can send specially crafted HTTP request to trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process.
MitigationInstall update from vendor's website.
Vulnerable software versionsCloud Pak for Security (CP4S): before 1.10.8.0
CPE2.3http://www.ibm.com/support/pages/node/6995207
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU77545
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-21676
CWE-ID:
CWE-754 - Improper Check for Unusual or Exceptional Conditions
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper error handling. A remote attacker can send specially crafted HTTP request to the application and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsCloud Pak for Security (CP4S): before 1.10.8.0
CPE2.3http://www.ibm.com/support/pages/node/6995207
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU61602
Risk: Low
CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-34141
CWE-ID:
CWE-697 - Incorrect Comparison
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to incomplete string comparison in the numpy.core component in NumPy. A remote attacker can pass specific string objects to the library and perform a denial of service (DoS) attack.
Install update from vendor's website.
Vulnerable software versionsCloud Pak for Security (CP4S): before 1.10.8.0
CPE2.3http://www.ibm.com/support/pages/node/6995207
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU61662
Risk: Low
CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-24302
Exploit availability: No
DescriptionThe vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to a race condition in the write_private_key_file() function between creation and chmod operations. A local user can exploit the race and gain unauthorized access to sensitive information.
MitigationInstall update from vendor's website.
Vulnerable software versionsCloud Pak for Security (CP4S): before 1.10.8.0
CPE2.3http://www.ibm.com/support/pages/node/6995207
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU70441
Risk: Low
CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-37533
CWE-ID:
CWE-345 - Insufficient Verification of Data Authenticity
Exploit availability: No
DescriptionThe vulnerability allows an attacker to redirect victim to a malicious host.
The vulnerability exists due to the application trusts the host from PASV response by default. A remote attacker can trick the victim into connecting to an attacker controlled FTP server and then redirect the application to another host.
Install update from vendor's website.
Vulnerable software versionsCloud Pak for Security (CP4S): before 1.10.8.0
CPE2.3http://www.ibm.com/support/pages/node/6995207
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.