CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS
Percentile
47.6%
The Python Cryptographic Authority package is used by paramiko, a third party library, which is used by Ansible collection for Storage Virtualize for authentication to target systems. This library is vulnerable to CVE-2023-38325.
CVEID:CVE-2023-38325
**DESCRIPTION:**Python Cryptographic Authority cryptography could provide weaker than expected security, caused by an encoding mismatch regarding critical options with OpenSSH. An attacker could exploit this vulnerability to launch further attacks on the system
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/260859 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
Affected Product(s) | Version(s) |
---|---|
Red Hat Certified Ansible Collection for IBM Storage Virtualize | All |
Update Python to version >= 3.9
Update ibm.storage_virtualize to version >= 2.1.0
Verify that cryptography >= 41.0.3 is installed. It will be installed along with ibm.storage_virtualize level listed above.
Please note that the plugin will still work on Python < 3.9, but it is necessary to update to fix this vulnerability as the fixed version of cryptography is not supported on Python < 3.9
Ansible collection ibm.storage_virtualize (version 2.1.0): <https://github.com/ansible-collections/ibm.storage_virtualize>
None
Vendor | Product | Version | CPE |
---|---|---|---|
ibm | ibm_support_for_ansible | 2.1.0 | cpe:2.3:a:ibm:ibm_support_for_ansible:2.1.0:*:*:*:*:*:*:* |
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS
Percentile
47.6%