SB2025051920 - Multiple vulnerabilities in IBM Integrated Analytics System

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2025051920

SB2025051920 - Multiple vulnerabilities in IBM Integrated Analytics System

Published: May 19, 2025

Security Bulletin ID SB2025051920
CSH Severity
Low
Patch available
YES
Number of vulnerabilities 4
Exploitation vector Local access
Highest impact Code execution

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 4 vulnerabilities.


1) Input validation error (CVE-ID: CVE-2023-22809)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Clear


The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists within the sudoedit (aka -e) feature due to insufficient validation of user-supplied input passed in the user-provided environment variables (SUDO_EDITOR, VISUAL, and EDITOR). The problem exists because a user-specified editor may contain a "--" argument that defeats a protection mechanism, e.g., an EDITOR='vim -- /path/to/extra/file' value. A local user can append arbitrary entries to the list of files to process and escalate privileges on the system.


2) OS Command Injection (CVE-ID: CVE-2023-28486)

CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation when processing control characters in the log messages. A local user can inject specially crafted characters to the log messages and execute arbtirary OS commands on the system when the command is executed from the log (e.g. via the "sudoreplay -l").


3) OS Command Injection (CVE-ID: CVE-2023-28487)

CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation when processing control characters in the sudoreplay output. A local user can inject specially crafted characters to the log messages and execute arbitrary OS commands on the system.

4) Improper Authentication (CVE-ID: CVE-2023-42465)

CWE-ID: CWE-287 - Improper Authentication

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to bypass authentication process.

The vulnerability exists due to insufficient resistance to rowhammer attacks. A local user can bypass authentication process and gain unauthorized access to the system.


Remediation

Install update from vendor's website.

References