SB2023110713 - Multiple vulnerabilities in IBM Robotic Process Automation for Cloud Pak

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2023110713

SB2023110713 - Multiple vulnerabilities in IBM Robotic Process Automation for Cloud Pak

Published: November 7, 2023

Security Bulletin ID SB2023110713
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 vulnerabilities.


1) Improper Neutralization of HTTP Headers for Scripting Syntax (CVE-ID: CVE-2023-29406)

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to improper input validation in HTTP/1 client when handling HTTP Host header. A remote non-authenticated attacker can send a specially crafted HTTP request with a maliciously crafted Host header and inject additional headers or entire requests.

Successful exploitation of the vulnerability may allow an attacker to perform cross-site scripting, cache poisoning or session hijacking attacks.


2) Improper Certificate Validation (CVE-ID: CVE-2023-29409)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to verifying certificate chains containing large RSA keys is slow. A remote attacker can cause a client/server to expend significant CPU time verifying signatures.


3) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2023-39533)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.


Remediation

Install update from vendor's website.

References