Multiple vulnerabilities in IBM CICS TX Advanced
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 4 |
| CVE-ID | CVE-2023-24540 CVE-2023-29402 CVE-2023-29404 CVE-2023-29405 |
| CWE-ID | CWE-94 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
IBM CICS TX Advanced Universal components / Libraries / Software for developers |
| Vendor | IBM Corporation |
Security Bulletin
This security bulletin contains information about 4 vulnerabilities.
1) Code Injection
EUVDB-ID: #VU75791
Risk: Medium
CVSSv3.1:
CVE-ID: CVE-2023-24540
CWE-ID:
CWE-94 - Improper Control of Generation of Code ('Code Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary JavaScript code.
The vulnerability exists due to improper input validation when processing whitespace characters. A remote attacker can send a specially crafted request and execute arbitrary JavaScript code.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM CICS TX Advanced: before 11.1.0.0 ifix13
CPE2.3 External linkshttp://www.ibm.com/support/pages/node/7033004
Q & A
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?
2) Code Injection
EUVDB-ID: #VU77528
Risk: Medium
CVSSv3.1:
CVE-ID: CVE-2023-29402
CWE-ID:
CWE-94 - Improper Control of Generation of Code ('Code Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation within the cgo go command when building code that contains directories with newline characters in their names. A remote attacker can pass specially crafted input to the cgo command at build time and potentially compromise the system.
Modules which are retrieved using the go command, i.e. via "go get", are not affected (modules retrieved using GOPATH-mode, i.e. GO111MODULE=off, may be affected).
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM CICS TX Advanced: before 11.1.0.0 ifix13
CPE2.3 External linkshttp://www.ibm.com/support/pages/node/7033004
Q & A
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?
3) Code Injection
EUVDB-ID: #VU77530
Risk: Medium
CVSSv3.1:
CVE-ID: CVE-2023-29404
CWE-ID:
CWE-94 - Improper Control of Generation of Code ('Code Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the affected system.
command which builds untrusted code.A remote attacker can inject and execute arbitrary code on the target system at build time when using cgo. Mitigation
Install update from vendor's website.
Vulnerable software versionsIBM CICS TX Advanced: before 11.1.0.0 ifix13
CPE2.3 External linkshttp://www.ibm.com/support/pages/node/7033004
Q & A
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?
4) Code Injection
EUVDB-ID: #VU77531
Risk: Medium
CVSSv3.1:
CVE-ID: CVE-2023-29405
CWE-ID:
CWE-94 - Improper Control of Generation of Code ('Code Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the affected system.
command which builds untrusted code.A remote attacker can inject and execute arbitrary code on the target system at build time when using cgo. Mitigation
Install update from vendor's website.
Vulnerable software versionsIBM CICS TX Advanced: before 11.1.0.0 ifix13
CPE2.3 External linkshttp://www.ibm.com/support/pages/node/7033004
Q & A
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?
