Risk | High |
Patch available | YES |
Number of vulnerabilities | 6 |
CVE-ID | CVE-2021-23343 CVE-2022-25858 CVE-2023-20883 CVE-2023-2251 CVE-2017-18342 CVE-2019-20149 |
CWE-ID | CWE-185 CWE-399 CWE-248 CWE-20 CWE-668 |
Exploitation vector | Network |
Public exploit | N/A |
Vulnerable software |
Cloud Pak for Security (CP4S) Client/Desktop applications / Other client software |
Vendor | IBM Corporation |
Security Bulletin
This security bulletin contains information about 6 vulnerabilities.
EUVDB-ID: #VU55315
Risk: Medium
CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-23343
CWE-ID:
CWE-185 - Incorrect Regular Expression
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient input validation in splitDeviceRe, splitTailRe, and splitPathRe regular expressions. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.
Install update from vendor's website.
Vulnerable software versionsCloud Pak for Security (CP4S): 1.10.0.0 - 1.10.12.0
CPE2.3http://www.ibm.com/support/pages/node/7015859
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU67974
Risk: Medium
CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-25858
CWE-ID:
CWE-185 - Incorrect Regular Expression
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient input validation when processing regular expressions. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.
Install update from vendor's website.
Vulnerable software versionsCloud Pak for Security (CP4S): 1.10.0.0 - 1.10.12.0
CPE2.3http://www.ibm.com/support/pages/node/7015859
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU76427
Risk: Medium
CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2023-20883
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources within the application. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.
Specifically, an application is vulnerable if all of the conditions are true:
Install update from vendor's website.
Vulnerable software versionsCloud Pak for Security (CP4S): 1.10.0.0 - 1.10.12.0
CPE2.3http://www.ibm.com/support/pages/node/7015859
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU76605
Risk: Medium
CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2023-2251
CWE-ID:
CWE-248 - Uncaught Exception
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause a denial of service condition.
The vulnerability exists due uncaught exception in the parseDocument() and parseAllDocuments() functions. A remote unauthenticated attacker can send a specially crafted input and cause a denial of service condition.
MitigationInstall update from vendor's website.
Vulnerable software versionsCloud Pak for Security (CP4S): 1.10.0.0 - 1.10.12.0
CPE2.3http://www.ibm.com/support/pages/node/7015859
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU21781
Risk: High
CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2017-18342
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
Description
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to insufficient validation of user-supplied input in the "yaml.load()" API (yaml.safe_load is not used). A remote attacker can execute arbitrary code on the target system.
Install update from vendor's website.
Vulnerable software versionsCloud Pak for Security (CP4S): 1.10.0.0 - 1.10.12.0
CPE2.3http://www.ibm.com/support/pages/node/7015859
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU78874
Risk: Medium
CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2019-20149
CWE-ID:
CWE-668 - Exposure of resource to wrong sphere
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to modify files on the system.
The vulnerability exists due to ctorName in index.js in kind-of allows external user input to overwrite certain internal attributes via a conflicting name. A remote unauthenticated attacker can send a specially crafted payload to overwrite builtin attribute and manipulate the type detection result.
MitigationInstall update from vendor's website.
Vulnerable software versionsCloud Pak for Security (CP4S): 1.10.0.0 - 1.10.12.0
CPE2.3http://www.ibm.com/support/pages/node/7015859
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.