Multiple vulnerabilities in IBM Voice Gateway



Published: 2023-09-21
Risk High
Patch available YES
Number of vulnerabilities 6
CVE-ID CVE-2010-2245
CVE-2022-24823
CVE-2014-3577
CVE-2015-5262
CVE-2013-4366
CVE-2020-13956
CWE-ID CWE-611
CWE-378
CWE-295
CWE-399
CWE-20
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
Voice Gateway
Server applications / Conferencing, Collaboration and VoIP solutions

Vendor IBM Corporation

Security Bulletin

This security bulletin contains information about 6 vulnerabilities.

1) XML External Entity injection

EUVDB-ID: #VU80955

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2010-2245

CWE-ID: CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to insufficient validation of user-supplied XML input. A remote attacker can pass a specially crafted XML code to the affected application and view contents of arbitrary files on the system or initiate requests to external systems.

Successful exploitation of the vulnerability may allow an attacker to view contents of arbitrary file on the server or perform network scanning of internal and external infrastructure.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Voice Gateway: before 1.0.8.3

CPE2.3 External links

http://www.ibm.com/support/pages/node/6890673


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

2) Creation of Temporary File With Insecure Permissions

EUVDB-ID: #VU62849

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-24823

CWE-ID: CWE-378 - Creation of Temporary File With Insecure Permissions

Exploit availability: No

Description

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to usage of insecure permissions for temporary files. A local user can view contents of temporary files and gain access to sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Voice Gateway: before 1.0.8.3

CPE2.3 External links

http://www.ibm.com/support/pages/node/6890673


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

3) Improper Certificate Validation

EUVDB-ID: #VU57150

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2014-3577

CWE-ID: CWE-295 - Improper Certificate Validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to improper certificate validation. A remote attacker can perform a man-in-the-middle (MitM) attack and spoof SSL servers via a "CN=" string in a field in the distinguished name (DN) of a certificate.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Voice Gateway: before 1.0.8.3

CPE2.3 External links

http://www.ibm.com/support/pages/node/6890673


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

4) Resource management error

EUVDB-ID: #VU80908

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2015-5262

CWE-ID: CWE-399 - Resource Management Errors

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources within the application. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Voice Gateway: before 1.0.8.3

CPE2.3 External links

http://www.ibm.com/support/pages/node/6890673


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

5) Input validation error

EUVDB-ID: #VU37997

Risk: High

CVSSv3.1:

CVE-ID: CVE-2013-4366

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

http/impl/client/HttpClientBuilder.java in Apache HttpClient 4.3.x before 4.3.1 does not ensure that X509HostnameVerifier is not null, which allows attackers to have unspecified impact via vectors involving hostname verification.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Voice Gateway: before 1.0.8.3

CPE2.3 External links

http://www.ibm.com/support/pages/node/6890673


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

6) Input validation error

EUVDB-ID: #VU47481

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2020-13956

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected application.

The vulnerability exists due to insufficient validation of user-supplied input in Apache HttpClient. A remote attacker can pass request URIs to the library as java.net.URI object and force the application to pick the wrong target host for request execution.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Voice Gateway: before 1.0.8.3

CPE2.3 External links

http://www.ibm.com/support/pages/node/6890673


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###