Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM0665925DF5F067ECF5E297BA3C90127DB89591002C77E6A2724DF5A757C0156C
HistoryAug 31, 2021 - 4:20 p.m.

Security Bulletin: IBM Planning Analytics Workspace is affected by security vulnerabilities

2021-08-3116:20:46
www.ibm.com
49
ibm planning analytics workspace
vulnerabilities
ibm planning analytics local v2.0
security
cross-site scripting
apache commons compress

EPSS

0.025

Percentile

90.3%

JSON

Summary

The Planning Analytics Workspace component of IBM Planning Analytics is affected by vulnerabilities These have been addressed in IBM Planning Analytics Local v2.0 - Planning Analytics Workspace Release 67.

Vulnerability Details

CVEID:CVE-2021-29853
**DESCRIPTION:**IBM Planning Analytics could expose information that could be used to to create attacks by not validating the return values from some methods or functions.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/205529 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

CVEID:CVE-2021-29852
**DESCRIPTION:**IBM Planning Analytics is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/205528 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

CVEID:CVE-2021-35516
**DESCRIPTION:**Apache Commons Compress is vulnerable to a denial of service, caused by an out-of-memory error when large amounts of memory are allocated. By reading a specially-crafted 7Z archive, a remote attacker could exploit this vulnerability to cause a denial of service condition against services that use Compress’ sevenz package.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/205306 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2021-29851
**DESCRIPTION:**IBM Planning Analytics could allow a remote attacker to obtain sensitive information when a stack trace is returned in the browser.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/205527 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

CVEID:CVE-2021-35517
**DESCRIPTION:**Apache Commons Compress is vulnerable to a denial of service, caused by an out of memory error when allocating large amounts of memory. By persuading a victim to open a specially-crafted TAR archive, a remote attacker could exploit this vulnerability to cause a denial of service condition against services that use Compress’ tar package.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/205307 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

CVEID:CVE-2021-35515
**DESCRIPTION:**Apache Commons Compress is vulnerable to a denial of service, caused by an infinite loop flaw in the construction of the list of codecs that decompress an entry. By persuading a victim to open a specially-crafted 7Z archive, a remote attacker could exploit this vulnerability to cause a denial of service condition against services that use Compress’ sevenz package.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/205304 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

CVEID:CVE-2021-36090
**DESCRIPTION:**Apache Commons Compress is vulnerable to a denial of service, caused by an out-of-memory error when large amounts of memory are allocated. By reading a specially-crafted ZIP archive, a remote attacker could exploit this vulnerability to cause a denial of service condition against services that use Compress’ zip package.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/205310 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2021-23343
**DESCRIPTION:**path-parse is vulnerable to a denial of service. By sending a specially-crafted request via splitDeviceRe, splitTailRe, and splitPathRe regular expressions, a remote attacker could exploit this vulnerability to cause a regular expression denial of service (ReDoS).
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/201206 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

IBM Planning Analytics Local 2.0

Remediation/Fixes

The recommended solution is to apply the most recent security update:

Download IBM Planning Analytics Local v2.0 - Planning Analytics Workspace Release 67 from Fix Central.

This Security Bulletin is applicable to IBM Planning Analytics 2.0 (Local).

The vulnerability has been addressed on IBM Planning Analytics with Watson and no further action is required.

Workarounds and Mitigations

None

Related

nessus 29
mageia 1
ibm 68
openvas 15
redos 1
suse 6
osv 11
redhat 2
nvd 8
prion 8
cvelist 8
cve 8
cnvd 4
redhatcve 5
veracode 5
github 5
ubuntucve 4
debiancve 4
atlassian 4
nodejs 1
f5 1
amazon 1
nessus
nessus
openSUSE 15 Security Update : apache-commons-compress (openSUSE-SU-2021:2612-1)
2021-08-06 00:00:00
openSUSE 15 Security Update : apache-commons-compress (openSUSE-SU-2021:1115-1)
2021-08-11 00:00:00
RHEL 8 : apache-commons-compress (Unpatched Vulnerability)
2024-06-03 00:00:00
mageia
mageia
Updated osgi-core/apache-commons-compress packages fix security vulnerability
2022-01-11 10:12:42
ibm
ibm
Security Bulletin: Multiple vulnerabilities in Apache Commons* affect Tivoli Netcool/OMNIbus WebGUI (CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090)
2021-10-28 23:12:16
Security Bulletin: IBM Sterling B2B Integrator vulnerable to multiple vulnerabilities due to Apache Commons Compress
2022-08-22 16:39:58
Security Bulletin: Apache Commons as used by IBM QRadar SIEM is vulnerable to denial of service (CVE-2021-35515, CVE-2021-35516, CVE-2021-36090, CVE-2021-35517)
2022-06-06 18:14:44
openvas
openvas
openSUSE: Security Advisory for apache-commons-compress (openSUSE-SU-2021:2612-1)
2021-08-07 00:00:00
Mageia: Security Advisory (MGASA-2022-0009)
2022-01-28 00:00:00
openSUSE: Security Advisory for apache-commons-compress (openSUSE-SU-2021:1115-1)
2021-08-11 00:00:00
redos
redos
ROS-20240806-01
2024-08-06 00:00:00
suse
suse
Security update for apache-commons-compress (important)
2021-08-05 00:00:00
Security update for apache-commons-compress (important)
2021-08-10 00:00:00
Security update for nodejs12 (important)
2022-03-02 00:00:00
osv
osv
apache-commons-compress-1.21-1.2 on GA media
2024-06-15 00:00:00
CVE-2021-23343
2021-05-04 09:15:07
Regular Expression Denial of Service in path-parse
2021-08-10 15:33:47
redhat
redhat
(RHSA-2022:5555) Moderate: RHV Manager (ovirt-engine) [ovirt-4.5.1] security, bug fix and update
2022-07-14 12:11:20
(RHSA-2021:2865) Moderate: RHV Manager (ovirt-engine) security update [ovirt-4.4.7]
2021-07-22 14:06:26
nvd
nvd
CVE-2021-29852
2021-09-01 17:15:07
CVE-2021-29853
2021-09-01 17:15:07
CVE-2021-29851
2021-09-01 17:15:07
prion
prion
Cross site scripting
2021-09-01 17:15:00
Information disclosure
2021-09-01 17:15:00
Information disclosure
2021-09-01 17:15:00
cvelist
cvelist
CVE-2021-29852
2021-09-01 16:20:17
CVE-2021-29851
2021-09-01 16:20:14
CVE-2021-29853
2021-09-01 16:20:19
cve
cve
CVE-2021-29851
2021-09-01 17:15:07
CVE-2021-29852
2021-09-01 17:15:07
CVE-2021-29853
2021-09-01 17:15:07
cnvd
cnvd
IBM Planning Analytics Cross-Site Scripting Vulnerability (CNVD-2021-71524)
2021-09-02 00:00:00
IBM Planning Analytics Information Disclosure Vulnerability (CNVD-2021-71522)
2021-09-03 00:00:00
IBM Planning Analytics Information Disclosure Vulnerability (CNVD-2021-71523)
2021-09-02 00:00:00
redhatcve
redhatcve
CVE-2021-23343
2021-05-04 14:31:14
CVE-2021-35515
2021-07-13 17:52:15
CVE-2021-35516
2021-07-13 17:52:22
veracode
veracode
Regular Expression Denial Of Service (ReDoS)
2021-05-05 05:46:25
Denial Of Service (DoS)
2021-09-22 02:44:38
Denial Of Service (DoS)
2021-07-14 06:32:21
github
github
Regular Expression Denial of Service in path-parse
2021-08-10 15:33:47
Improper Handling of Length Parameter Inconsistency in Compress
2021-08-02 16:55:15
Excessive Iteration in Compress
2021-08-02 16:55:07
ubuntucve
ubuntucve
CVE-2021-35515
2021-07-13 00:00:00
CVE-2021-35516
2021-07-13 00:00:00
CVE-2021-35517
2021-07-13 00:00:00
debiancve
debiancve
CVE-2021-35515
2021-07-13 08:15:07
CVE-2021-35516
2021-07-13 08:15:07
CVE-2021-36090
2021-07-13 08:15:07
atlassian
atlassian
DoS (Denial of Service) org.apache.commons:commons-compress Dependency in Confluence Data Center and Server
2024-07-03 08:30:08
DoS (Denial of Service) org.apache.commons:commons-compress Dependency in Confluence Data Center and Server
2024-07-03 08:30:12
DoS (Denial of Service) org.apache.commons:commons-compress Dependency in Confluence Data Center and Server
2024-07-03 08:30:16
nodejs
nodejs
Regular Expression Denial of Service in path-parse
2021-08-10 15:59:47
f5
f5
K000133710 : apache-commons-compress vulnerability CVE-2021-36090
2023-04-28 00:00:00
amazon
amazon
Medium: apache-commons-compress
2024-08-14 19:06:00

EPSS

0.025

Percentile

90.3%

JSON
Related for 0665925DF5F067ECF5E297BA3C90127DB89591002C77E6A2724DF5A757C0156C
nessus29mageia1ibm68openvas15redos1suse6osv11redhat2nvd8prion8cvelist8cve8cnvd4redhatcve5veracode5github5ubuntucve4debiancve4atlassian4nodejs1f51amazon1