CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS
Percentile
41.7%
Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to multiple vulnerabilities in jsonwebtoken with details below.
CVEID:CVE-2022-23540
**DESCRIPTION:**Auth0 jsonwebtoken could allow a remote authenticated attacker to bypass security restrictions, caused by an insecure default algorithm flaw in the jwt.verify() function. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass signature validation.
CVSS Base score: 6.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/242969 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L)
CVEID:CVE-2022-23539
**DESCRIPTION:**Auth0 jsonwebtoken could provide weaker than expected security, caused by an unrestricted key type issue. A remote authenticated attacker could exploit this vulnerability to allow legacy keys usage and launch further attacks on the system.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/242968 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N)
CVEID:CVE-2022-23541
**DESCRIPTION:**Auth0 jsonwebtoken could allow a remote authenticated attacker to bypass security restrictions, caused by an insecure implementation of key retrieval function. By sending a specially-crafted request, an attacker could exploit this vulnerability to forge Public/Private Tokens from RSA to HMAC.
CVSS Base score: 5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/242966 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L)
Affected Product(s) | Version(s) |
---|---|
Platform Navigator in IBM Cloud Pak for Integration (CP4I) | 2021.1.1 |
2021.2.1 | |
2021.4.1 | |
2022.2.1 | |
2022.4.1 | |
Automation Assets in IBM Cloud Pak for Integration (CP4I) | 2021.1.1 |
2021.2.1 | |
2021.4.1 | |
2022.2.1 |
Platform Navigator in IBM Cloud Pak for Integration
Upgrade Platform Navigator to either the LTS or CD version:
LTS: 2022.2.1-6 using the Operator upgrade process described in the IBM Documentation
<https://www.ibm.com/docs/en/cloud-paks/cp-integration/2022.2?topic=upgrading-platform-ui>
CD: 2022.4.1-1 using the Operator upgrade process described in the IBM Documentation
<https://www.ibm.com/docs/en/cloud-paks/cp-integration/2022.4?topic=upgrading-platform-ui>
Automation Assets version****in IBM Cloud Pak for Integration
Upgrade Automation Assets Operator to 2022.2.1-5 using the Operator upgrade process described in the IBM Documentation
None
Vendor | Product | Version | CPE |
---|---|---|---|
ibm | cloud_pak_for_security | 2021.1.12021.2.12021.4.12022.2.12022.4.1 | cpe:2.3:a:ibm:cloud_pak_for_security:2021.1.12021.2.12021.4.12022.2.12022.4.1:*:*:*:*:*:*:* |
ibm | cloud_pak_for_automation | 2021.1.12021.2.12021.4.12022.2.1 | cpe:2.3:a:ibm:cloud_pak_for_automation:2021.1.12021.2.12021.4.12022.2.1:*:*:*:*:*:*:* |
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS
Percentile
41.7%