Lucene search

IBM2E7AE1B4FCF61DA7074EF9FEB76AB3CBCB5D9C697787A4E20F66CC75980CBD5A

HistorySep 16, 2022 - 3:41 p.m.

Security Bulletin: IBM Security QRadar Network Threat Analytics uses component jinja2 with a denial of service vulnerability (CVE-2020-28493)

2022-09-1615:41:17

www.ibm.com

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

0.002 Low

EPSS

Percentile

57.4%

JSON

Summary

This product includes vulnabilities that can be exploited crafting input in the UI per the CVE. The fix updates the component to address the vulnerability.

Vulnerability Details

CVEID:CVE-2020-28493
**DESCRIPTION:**Pallets jinja2 is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in the email regex. By sending a specially-crafted input, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/195894 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s)|**Version(s)
**
—|—
IBM Security QRadar Network Threat Analytics| 1.0

Remediation/Fixes

IBM encourages customers to update their systems promptly.

Update to IBM Security Network Threat Analytics 1.1.0

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmqradar_network_securityMatch1.

ibmqradar_network_securityMatch.

CPENameOperatorVersion
ibm security qradar network threat analyticseq1.
ibm security qradar network threat analyticseq.

CPE	Name	Operator	Version
	ibm security qradar network threat analytics	eq	1.
	ibm security qradar network threat analytics	eq	.

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

0.002 Low

EPSS

Percentile

57.4%

JSON

Related for 2E7AE1B4FCF61DA7074EF9FEB76AB3CBCB5D9C697787A4E20F66CC75980CBD5A