SB2023090826 - Multiple vulnerabilities in Platform Navigator and Automation Assets in IBM Cloud Pak for Integration

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2023090826

SB2023090826 - Multiple vulnerabilities in Platform Navigator and Automation Assets in IBM Cloud Pak for Integration

Published: September 8, 2023

Security Bulletin ID SB2023090826
Severity
Medium
Patch available
YES
Number of vulnerabilities 10
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Medium 70% Low 30%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 10 secuirty vulnerabilities.


1) Path traversal (CVE-ID: CVE-2023-30584)

The vulnerability allows a remote user to perform directory traversal attacks.

The vulnerability exists due to input validation error within the experimental permission model when verifying file permissions. A remote user can send a specially crafted request and read arbitrary files on the system.


2) Untrusted search path (CVE-ID: CVE-2023-30585)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to the way Node.js (.msi version) installation process handles a missing %USERPROFILE% environment variable. If the variable is not set, the .msi installer will try to include a current working directory into the search path and will libraries in an unsafe manner. A local user can place a malicious file on the victim's system and execute arbitrary code with elevated privileges.

The vulnerability affects Windows installators only.



3) Inconsistency between implementation and documented design (CVE-ID: CVE-2023-30590)

The vulnerability allows a remote user to bypass implemented security restrictions.

The vulnerability exists due to inconsistency between implementation and documented design within the generateKeys() API function. The documented behavior is different from the actual behavior, and this difference could lead to security issues in applications that use these APIs as the DiffieHellman may be used as the basis for application-level security.


4) Improper access control (CVE-ID: CVE-2023-30587)

The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions. A remote user can exploit the Worker class's ability to create an "internal worker" with the kIsInternal Symbol to bypass restrictions set by the --experimental-permission flag using the built-in inspector module (node:inspector).


5) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2023-30586)

The vulnerability allows a remote user to bypass implemented security restrictions.

The vulnerability exists due to application allows loading arbitrary OpenSSL engines when the experimental permission model is enabled. A remote user can use the crypto.setEngine() API to bypass the permission model when called with a compatible OpenSSL engine and disable the permission model in the host process by manipulating the process's stack memory to locate the permission model Permission::enabled_ in the host process's heap memory.


6) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2023-30582)

The vulnerability allows a remote user to bypass implemented security restrictions.

The vulnerability exists due to an error within the experimental permission model when the --allow-fs-read flag is used with a non-* argument. An inadequate permission model fails to restrict file watching through the fs.watchFile API and result in an ability of a remote user to monitor files that they do not have explicit read access to.


7) Input validation error (CVE-ID: CVE-2023-30588)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied public key within the crypto.X509Certificate() API. A remote user can pass an invalid public key to the application and perform a denial of service (DoS) attack.


8) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2023-30589)

The vulnerability allows a remote attacker to perform HTTP request smuggling attacks.

The vulnerability exists due to improper validation of HTTP requests in the llhttp parser. A remote attacker can send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.

Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks.


9) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2023-30581)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to the use of proto in process.mainModule.proto.require(). This allows to bypass the policy mechanism and require modules outside of the policy.json definition.


10) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2023-30583)

The vulnerability allows a remote user to bypass implemented security restrictions.

The vulnerability exists due to a missing check in the fs.openAsBlob() API. A remote user leverage fs.openAsBlob() to bypass the experimental permission model when using the file system read restriction with the --allow-fs-read flag.


Remediation

Install update from vendor's website.

References