IBM31C8ADB700096180F1AAC43E2708956C57E91BB2D0A0E004CFB537FC62E5AC03Security Bulletin: IBM Robotic Process Automation is vulnerable to arbitrary code execution due to DevExpress SafeBinaryFormatter (CVE-2022-28684)
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.022 Low
EPSS
Percentile
89.5%
Summary
DevExpress is used by IBM Robotic Process Automatoin as part of the Dashboard and some commands. (CVE-2022-28684)
Vulnerability Details
CVEID:CVE-2022-28684
**DESCRIPTION:**DevExpress could allow a remote authenticated attacker to execute arbitrary code on the system, caused by deserialization of untrusted Data in the SafeBinaryFormatter library. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/229662 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM Robotic Process Automation | < 21.0.4 |
| IBM Robotic Process Automation for Cloud Pak | < 21.0.4 |
Remediation/Fixes
IBM strongly recommends addressing the vulnerability now.
| Product(s) | **Version(s) number and/or range ** | Remediation/Fix/Instructions |
|---|---|---|
| IBM Robotic Process Automation | < 21.0.4 | Download 21.0.4 and follow instructions. |
| IBM Robotic Process Automation for Cloud Pak | < 21.0.4 | Update to 21.0.4, follow instructions. |
Workarounds and Mitigations
None
Affected configurations
Related
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.022 Low
EPSS
Percentile
89.5%