Lucene search

IBM06F2D10C23C698DB0D73A919AD5246C651A737FE6E8D4D9F079C4E7BEFF48668

HistorySep 17, 2024 - 9:51 p.m.

Security Bulletin: Vulnerabilities in Node.js and packages affect IBM Voice Gateway

2024-09-1721:51:40

www.ibm.com

security vulnerabilities

node.js

ibm voice gateway

ssrf attack

arbitrary code execution

grpc

denial of service

upgrading

remediatio

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

8.7

Confidence

High

JSON

Summary

Security Vulnerabilities in node.js and package affects IBM Voice Gateway. The vulnerabilities have been addressed.

Vulnerability Details

CVEID:CVE-2024-39338
**DESCRIPTION:**Axios is vulnerable to server-side request forgery, caused by a flaw with requests for path relative URLs get processed as protocol relative URLs. By sending a specially crafted request, an attacker could exploit this vulnerability to conduct SSRF attack.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/350874 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2024-22020
**DESCRIPTION:**Node.js could allow a remote attacker to execute arbitrary code on the system. By embedding non-network imports in data URLs, an attacker could exploit this vulnerability to bypass network import restrictions and execute arbitrary code on the system.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/297433 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H)

CVEID:CVE-2024-37168
**DESCRIPTION:**gRPC on Node.js is vulnerable to a denial of service, caused by a flaw with memory allocation with excessive size value. By sending specially crafted messages, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/294632 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

Affected Product(s)	Version(s)
Voice Gateway	1.0.7
Voice Gateway	1.0.6
Voice Gateway	1.0.2.4
Voice Gateway	1.0.4
Voice Gateway	1.0.7.1
Voice Gateway	1.0.2
Voice Gateway	1.0.8
Voice Gateway	1.0.5
Voice Gateway	1.0.3

Remediation/Fixes

IBM strongly suggests upgrading to the following IBM Voice Gateway 1.0.8.x images:

ibmcom/voice-gateway-mr:1.0.8.21
ibmcom/voice-gateway-stt-adapter:1.0.8.13
ibmcom/voice-gateway-tts-adapter:1.0.8.13

The above images can be found at the below links:
<https://hub.docker.com/r/ibmcom/voice-gateway-mr/tags>
<https://hub.docker.com/r/ibmcom/voice-gateway-stt-adapter/tags>
<https://hub.docker.com/r/ibmcom/voice-gateway-tts-adapter/tags>

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmibm_voice_gatewayMatchany

VendorProductVersionCPE
ibmibm_voice_gatewayanycpe:2.3:a:ibm:ibm_voice_gateway:any:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	ibm_voice_gateway	any	cpe:2.3:a:ibm:ibm_voice_gateway:any:::::::*

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

8.7

Confidence

High

JSON

Related for 06F2D10C23C698DB0D73A919AD5246C651A737FE6E8D4D9F079C4E7BEFF48668