Lucene search

IBM346C36B67803B757FF1767E4BF910A6E6BE1A0BEA9FB7AA3921E81F01FE940F2

HistoryJun 13, 2022 - 5:09 p.m.

Security Bulletin: IBM Sterling Control Center is vulnerable to server-side request forgery due to Node.js axios module (CVE-2020-28168)

2022-06-1317:09:46

www.ibm.com

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

0.003 Low

EPSS

Percentile

68.3%

JSON

Summary

Node.js axios module is used by IBM Sterling Control Center. A server-side request forgery vulnerability in Node.js axios module has been addressed.

Vulnerability Details

CVEID:CVE-2020-28168
**DESCRIPTION:**Node.js axios module is vulnerable to server-side request forgery, caused by improper input validation. By providing a URL that responds with a redirect to a restricted host or IP address, an attacker could exploit this vulnerability to conduct SSRF attack to bypass a proxy.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/191660 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Sterling Control Center	6.2.1.0
IBM Sterling Control Center	6.2.0.0

Remediation/Fixes

Product

Version

Remediation

—|—|—

IBM Sterling Control Center

6.2.1.0

iFix07 available on Fix Central - 6.2.1.0

IBM Sterling Control Center

6.2.0.0

iFix07 available on Fix Central - 6.2.1.0

iFix18 available on Fix Central - 6.2.0.0

NOTE: This is the last planned 6.2.0.0 iFix release package. Please plan for future Control Center upgrades to 6.2.1.0 iFix07 (or later).

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmcontrol_centerMatch6.2.0.0

ibmcontrol_centerMatch6.2.1.0

CPENameOperatorVersion
ibm control centereq6.2.0.0
ibm control centereq6.2.1.0

CPE	Name	Operator	Version
	ibm control center	eq	6.2.0.0
	ibm control center	eq	6.2.1.0

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

0.003 Low

EPSS

Percentile

68.3%

JSON

Related for 346C36B67803B757FF1767E4BF910A6E6BE1A0BEA9FB7AA3921E81F01FE940F2