SB2023122810 - Multiple vulnerabilities in IBM Cloud Pak for Business Automation
Published: December 28, 2023 Updated: December 6, 2024
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 25 secuirty vulnerabilities.
1) Input validation error (CVE-ID: CVE-2023-36479)
The vulnerability allows a remote user to compromise the affected system.
The vulnerability exists due to insufficient validation of user-supplied input in org.eclipse.jetty.servlets.CGI Servlet when quoting a command before its execution. A remote user can force the application to execute arbitrary file on the server and potentially compromise the system.
2) Cross-site request forgery (CVE-ID: CVE-2023-45857)
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
3) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2023-32006)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
4) Information disclosure (CVE-ID: CVE-2023-45143)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to software send Cookies in HTTP headers during cross-origin redirects. A remote attacker can gain unauthorized access to sensitive information.
5) Use of a broken or risky cryptographic algorithm (CVE-ID: CVE-2023-46233)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to usage of a weak PBKDF2 algorithm. A remote attacker can gain access to sensitive information.
6) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2023-32559)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
7) Information disclosure (CVE-ID: CVE-2023-40691)
The vulnerability allows a remote privileged user to gain access to potentially sensitive information.
The vulnerability exists due to the application reveals sensitive information contained in application configuration to developer and administrator users. A remote privileged user can gain unauthorized access to sensitive information on the system.
8) Resource exhaustion (CVE-ID: CVE-2021-33503)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation in urllib3 when processing URL with multiple "@" characters in the authority component. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
9) Authorization bypass through user-controlled key (CVE-ID: CVE-2023-44981)
The vulnerability allows a remote attacker to bypass authorization process.
The vulnerability exists due to improper implementation of SASL Quorum Peer authentication. The instance part in SASL authentication ID, which is listed in zoo.cfg server
list, is optional and if it's missing,
the authorization check will be skipped. As a
result an arbitrary endpoint could join the cluster and begin
propagating counterfeit changes to the leader, essentially giving it
complete read-write access to the data tree.
10) Security features bypass (CVE-ID: CVE-2023-4853)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to implemented HTTP security policies do not correctly sanitize certain character permutations, which may result in incorrect evaluation of permissions. A remote attacker can bypass the security policy altogether and gain unauthorized access to endpoints or perform a denial of service (DoS) attack.
11) Incorrect Comparison (CVE-ID: CVE-2023-45133)
The vulnerability allows a local user to execute arbitrary code on the target system.
The vulnerability exists in '@babel/traverse' and `babel-traverse`. A local user can execute arbitrary code during compilation, when using plugins that rely on the `path.evaluate()`or `path.evaluateTruthy()` internal Babel methods.
12) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2023-5072)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to allocation of resources without limits or throttling. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
13) Stored cross-site scripting (CVE-ID: CVE-2023-39151)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to the affected plugin does not sanitize or properly encode URLs of the hyperlinks in build logs. A remote user can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
14) Incorrect default permissions (CVE-ID: CVE-2023-43498)
The vulnerability allows a local user to compromise the target system.
The vulnerability exists due to the affected plugin creates the temporary file in the system temporary directory with the default permissions for newly created files within the Jenkins API "MultipartFormDataParser". A local user can read and write the file before it is used.
15) Incorrect default permissions (CVE-ID: CVE-2023-43497)
The vulnerability allows a local user to compromise the target system.
The vulnerability exists due to the affected plugin creates the temporary file in the system temporary directory with the default permissions for newly created files within the Stapler web framework. A local user can read and write the file before it is used.
16) Incorrect default permissions (CVE-ID: CVE-2023-43496)
The vulnerability allows a local user to execute arbitrary code on the system.
The vulnerability exists due to the affected plugin creates the temporary file in the system temporary directory with the default permissions for newly created files. A local user can view contents of files and directories and execute arbitrary code on the target system.
17) Stored cross-site scripting (CVE-ID: CVE-2023-43495)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in the "caption" constructor parameter of ExpandableDetailsNote. A remote user can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
18) Information disclosure (CVE-ID: CVE-2023-43494)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to the affected application does not exclude sensitive build variables from this search. A remote user can gain unauthorized access to sensitive information on the system.
19) Incorrect authorization (CVE-ID: CVE-2023-34035)
The vulnerability allows a remote attacker to bypass authorization process.
The vulnerability exists due to authorization rule misconfiguration if the application uses requestMatchers(String) or requestMatchers(HttpMethod, String) and multiple servlets, one of them being Spring MVC’s DispatcherServlet. A remote attacker can bypass authorization rules and gain unauthorized access to the application.
20) Security features bypass (CVE-ID: CVE-2023-34034)
The vulnerability allows a remote attacker to bypass security restrictions.
The vulnerability exists due to the usage of "**" as a pattern in Spring Security configuration for WebFlux creates a mismatch in pattern matching between Spring Security and Spring WebFlux. A remote unauthenticated attacker can trigger the vulnerability to bypass security restrictions.
21) Code Injection (CVE-ID: CVE-2023-39333)
The vulnerability allows a remote attacker to execute arbitrary JavaScript code.
The vulnerability exists due to improper input validation in an imported WebAssembly module when processing export names. A remote attacker can pass specially crafted export names to the application and execute arbitrary JavaScript code on the system.
22) Improper validation of integrity check value (CVE-ID: CVE-2023-38552)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to an error in the policy feature, which checks the integrity of a resource against a trusted manifest. An application can intercept the operation and return a forged checksum to node's policy implementation, thus effectively disabling the integrity check.
23) Inclusion of Sensitive Information in Log Files (CVE-ID: CVE-2023-31417)
The vulnerability allows a remote user to gain access to sensitive information.
The vulnerability exists due to software can include sensitive information into audit logs log files when using certain deprecated URIs for APIs. A local user with access to the application's log can obtain potentially sensitive information, such as passwords and tokens in clear text.
Note that audit logging is disabled by default and needs to be explicitly enabled.
24) Resource exhaustion (CVE-ID: CVE-2023-44487)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improperly control of consumption for internal resources when handling HTTP/2 requests with compressed HEADERS frames. A remote attacker can send a sequence of compressed HEADERS frames followed by RST_STREAM frames and perform a denial of service (DoS) attack, a.k.a. "Rapid Reset".
Note, the vulnerability is being actively exploited in the wild.
25) Resource management error (CVE-ID: CVE-2023-46158)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to improper resource expiration handling. A remote attacker can bypass implemented security restrictions.
Remediation
Install update from vendor's website.