Multiple vulnerabilities in IBM Planning Analytics Cartridge for IBM Cloud Pak for Data
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 5 |
| CVE-ID | CVE-2023-39321 CVE-2023-29401 CVE-2023-39322 CVE-2023-39533 CVE-2023-26024 |
| CWE-ID | CWE-20 CWE-494 CWE-770 CWE-319 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Planning Analytics Cartridge for Cloud Pak for Data Other software / Other software solutions |
| Vendor | IBM Corporation |
Security Bulletin
This security bulletin contains information about 5 vulnerabilities.
1) Input validation error
EUVDB-ID: #VU80574
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2023-39321
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input in crypto/tls when processing post-handshake message on QUIC connections. A remote attacker can send an incomplete post-handshake message for a QUIC connection and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsPlanning Analytics Cartridge for Cloud Pak for Data: before 4.8.0
CPE2.3 External linkshttps://www.ibm.com/support/pages/node/7082784
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Download of code without integrity check
EUVDB-ID: #VU80818
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2023-29401
CWE-ID:
CWE-494 - Download of Code Without Integrity Check
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to modify data on the system.
The vulnerability exists due to software does not perform software integrity check when downloading updates. A remote attacker with ability to perform man-in-the-middle (MitM) attack can supply a malicious software image and modify data on the system.
MitigationInstall update from vendor's website.
Vulnerable software versionsPlanning Analytics Cartridge for Cloud Pak for Data: before 4.8.0
CPE2.3 External linkshttps://www.ibm.com/support/pages/node/7082784
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Input validation error
EUVDB-ID: #VU80575
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2023-39322
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input in crypto/tls when processing post-handshake message on QUIC connections. A remote attacker can send an incomplete post-handshake message for a QUIC connection and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsPlanning Analytics Cartridge for Cloud Pak for Data: before 4.8.0
CPE2.3 External linkshttps://www.ibm.com/support/pages/node/7082784
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Allocation of Resources Without Limits or Throttling
EUVDB-ID: #VU82816
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2023-39533
CWE-ID:
CWE-770 - Allocation of Resources Without Limits or Throttling
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsPlanning Analytics Cartridge for Cloud Pak for Data: before 4.8.0
CPE2.3 External linkshttps://www.ibm.com/support/pages/node/7082784
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Cleartext transmission of sensitive information
EUVDB-ID: #VU83592
Risk: Low
CVSSv4.0: 1.3 [CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2023-26024
CWE-ID:
CWE-319 - Cleartext Transmission of Sensitive Information
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to software uses insecure communication channel to transmit sensitive information. A remote attacker on the local network with ability to intercept network traffic can gain access to sensitive data.
MitigationInstall update from vendor's website.
Vulnerable software versionsPlanning Analytics Cartridge for Cloud Pak for Data: before 4.8.0
CPE2.3 External linkshttps://www.ibm.com/support/pages/node/7082784
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
