Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM098A0B0BBDA18721083717F103FE7FB2B2BBE2394E33149D968FE7B59A7B2AD4
HistoryApr 24, 2021 - 6:55 a.m.

Security Bulletin: Vulnerabilities in Apache and Node.js affect IBM Spectrum Protect Plus

2021-04-2406:55:55
www.ibm.com
49

0.973 High

EPSS

Percentile

99.9%

JSON

Summary

Vulnerabilities in Apache and Node.js such as execution of arbitrary code on the system, cross -site scripting, and bypassing security restrictions, may affect IBM Spectrum Protect Plus.

Vulnerability Details

CVEID:CVE-2020-28458
**DESCRIPTION:**Node.js datatables.net module could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution flaw. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/193390 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID:CVE-2021-21315
**DESCRIPTION:**System Information Library for Node.JS could allow a remote attacker to execute arbitrary commands on the system, caused by command injection flaw when parsing service parameters. By sending a specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary commands on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/196894 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2020-13959
**DESCRIPTION:**Apache Velocity Tools is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the default error page for VelocityView. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/197994 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID:CVE-2020-13936
**DESCRIPTION:**Apache Velocity could allow a remote attacker to execute arbitrary code on the system, caused by a sandbox bypass flaw. By modifying the Velocity templates, an attacker could exploit this vulnerability to execute arbitrary code with the same privileges as the account running the Servlet container.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/197993 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2020-13956
**DESCRIPTION:**Apache HttpClient could allow a remote attacker to bypass security restrictions, caused by the improper handling of malformed authority component in request URIs. By passing request URIs to the library as java.net.URI object, an attacker could exploit this vulnerability to pick the wrong target host for request execution.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/189572 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Spectrum Protect Plus 10.1.0-10.1.7

Remediation/Fixes

BM Spectrum Protect Plus Release First Fixing VRM Level Platform Link to Fix
10.1 10.1.8 Linux <https://www.ibm.com/support/pages/node/6415111&gt;

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm spectrum protect pluseq10.1

Related

gentoo 1
nessus 38
openvas 15
nvd 5
cvelist 5
veracode 5
osv 20
redhatcve 4
github 6
ubuntu 3
debiancve 3
redhat 15
prion 5
ubuntucve 3
debian 4
cve 5
githubexploit 4
huntr 1
nodejs 1
ibm 36
suse 1
amazon 2
atlassian 2
mageia 2
cisa_kev 1
attackerkb 1
checkpoint_advisories 1
nuclei 1
rocky 2
oraclelinux 2
almalinux 2
cgr 1
wolfi 1
freebsd 1
gentoo
gentoo
Apache Velocity: Multiple vulnerabilities
2021-07-23 00:00:00
nessus
nessus
GLSA-202107-52 : Apache Velocity: Multiple vulnerabilities
2021-10-29 00:00:00
Ubuntu 16.04 ESM / 18.04 ESM / 20.04 LTS : Velocity Tools vulnerability (USN-6282-1)
2023-08-10 00:00:00
Debian DLA-2597-1 : velocity-tools security update
2021-03-19 00:00:00
openvas
openvas
Ubuntu: Security Advisory (USN-6282-1)
2023-08-11 00:00:00
Debian: Security Advisory (DLA-2597-1)
2021-03-18 00:00:00
Mageia: Security Advisory (MGASA-2021-0183)
2022-01-28 00:00:00
nvd
nvd
CVE-2020-13959
2021-03-10 08:15:14
CVE-2020-28458
2020-12-16 11:15:12
CVE-2021-21315
2021-02-16 17:15:13
cvelist
cvelist
CVE-2020-13959 Velocity Tools XSS Vulnerability
2021-03-10 08:00:19
CVE-2021-21315 Command Injection Vulnerability
2021-02-16 17:00:18
CVE-2020-28458 Prototype Pollution
2020-12-16 00:00:00
veracode
veracode
Cross-site Scripting (XSS)
2021-03-11 01:48:48
Prototype Pollution
2020-12-17 03:35:03
Remote Code Execution
2021-03-04 04:14:51
osv
osv
Cross-site scripting (XSS) in Apache Velocity Tools
2021-03-12 20:24:22
velocity-tools - security update
2021-03-17 00:00:00
CVE-2020-28458
2020-12-16 11:15:12
redhatcve
redhatcve
CVE-2020-13959
2021-03-10 17:03:47
CVE-2020-28458
2020-12-16 17:53:00
CVE-2020-13936
2021-03-10 17:04:07
github
github
Cross-site scripting (XSS) in Apache Velocity Tools
2021-03-12 20:24:22
datatables.net vulnerable to Prototype Pollution due to incomplete fix
2020-12-17 21:00:50
Command Injection Vulnerability
2021-02-16 16:51:04
ubuntu
ubuntu
Velocity Tools vulnerability
2023-08-10 00:00:00
Velocity Engine vulnerability
2023-08-10 00:00:00
HttpClient vulnerability
2022-08-08 00:00:00
debiancve
debiancve
CVE-2020-13959
2021-03-10 08:15:14
CVE-2020-13936
2021-03-10 08:15:14
CVE-2020-13956
2020-12-02 17:15:14
redhat
redhat
(RHSA-2021:1184) Moderate: RHV RHEL Host (ovirt-host) 4.4.z [ovirt-4.4.5] security, bug fix, enhancement
2021-04-14 10:17:29
(RHSA-2022:1861) Moderate: maven:3.5 security update
2022-05-10 08:04:48
(RHSA-2022:0722) Moderate: rh-maven36-httpcomponents-client security update
2022-03-01 14:04:58
prion
prion
Cross site scripting
2021-03-10 08:15:00
Design/Logic Flaw
2020-12-16 11:15:00
Command injection
2021-02-16 17:15:00
ubuntucve
ubuntucve
CVE-2020-13959
2021-03-10 00:00:00
CVE-2020-13936
2021-03-10 00:00:00
CVE-2020-13956
2020-12-02 00:00:00
debian
debian
[SECURITY] [DLA 2597-1] velocity-tools security update
2021-03-17 16:30:06
[SECURITY] [DLA 2595-1] velocity security update
2021-03-17 12:25:07
[SECURITY] [DLA 2405-1] httpcomponents-client security update
2020-10-10 17:12:02
cve
cve
CVE-2020-13959
2021-03-10 08:15:14
CVE-2020-28458
2020-12-16 11:15:12
CVE-2020-13936
2021-03-10 08:15:14
githubexploit
githubexploit
Exploit for OS Command Injection in Systeminformation
2021-11-10 06:40:17
Exploit for OS Command Injection in Systeminformation
2021-03-01 18:52:41
Exploit for OS Command Injection in Systeminformation
2021-03-04 11:47:18
huntr
huntr
Denial of Service in sebhildebrandt/systeminformation
2021-02-11 00:00:00
nodejs
nodejs
Command Injection
2021-02-24 03:24:56
ibm
ibm
Security Bulletin: IBM Match 360 is affected due to a denial of service due to vulnerability in Apache Velocity Engine [CVE-2020-13936]
2023-09-01 16:32:38
Security Bulletin: The IBM® Engineering Lifecycle Management is impacted by vulnerabilties in Apache Velocity
2024-06-26 10:47:34
Security Bulletin: Vulnerability found in velocity-1.7.jar which is shipped with IBM® Intelligent Operations Center [CVE-2020-13936]
2023-09-07 10:42:42
suse
suse
Security update for velocity (important)
2021-03-19 00:00:00
amazon
amazon
Important: velocity
2021-07-14 20:45:00
Medium: httpcomponents-client
2023-02-17 00:11:00
atlassian
atlassian
org.apache.velocity Vulnerability in Bitbucket Data Center and Server
2023-09-26 16:12:29
Update Atlassian Platform to 3.5.19 to fix CVE-2018-1000613, CVE-2019-17571 and other vulnerabilities
2021-02-03 22:39:15
mageia
mageia
Updated velocity packages fix security vulnerability
2021-04-12 22:59:59
Updated httpcomponents-client packages fix a security vulnerability
2021-07-07 02:12:30
cisa_kev
cisa_kev
System Information Library for Node.JS Command Injection
2022-01-18 00:00:00
attackerkb
attackerkb
CVE-2021-21315
2021-02-16 00:00:00
checkpoint_advisories
checkpoint_advisories
Node.JS System Information Command Injection (CVE-2021-21315)
2022-02-02 00:00:00
nuclei
nuclei
Node.JS System Information Library <5.3.1 - Remote Command Injection
2021-03-02 11:02:08
rocky
rocky
maven:3.6 security and enhancement update
2022-05-10 08:04:46
maven:3.5 security update
2022-05-10 08:04:48
oraclelinux
oraclelinux
maven:3.6 security and enhancement update
2022-05-17 00:00:00
maven:3.5 security update
2022-05-17 00:00:00
almalinux
almalinux
Moderate: maven:3.5 security update
2022-05-10 08:04:48
Moderate: maven:3.6 security and enhancement update
2022-05-10 08:04:46
cgr
cgr
CVE-2020-13956 vulnerabilities
2024-05-19 03:07:16
wolfi
wolfi
CVE-2020-13956 vulnerabilities
2024-07-01 09:08:36
freebsd
freebsd
Apache Maven -- multiple vulnerabilities
2021-04-04 00:00:00

0.973 High

EPSS

Percentile

99.9%

JSON
Related for 098A0B0BBDA18721083717F103FE7FB2B2BBE2394E33149D968FE7B59A7B2AD4
gentoo1nessus38openvas15nvd5cvelist5veracode5osv20redhatcve4github6ubuntu3debiancve3redhat15prion5ubuntucve3debian4cve5githubexploit4huntr1nodejs1ibm36suse1amazon2atlassian2mageia2cisa_kev1attackerkb1checkpoint_advisories1nuclei1rocky2oraclelinux2almalinux2cgr1wolfi1freebsd1