CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
EPSS
Percentile
67.9%
Multiple vulnerabilities were fixed in IBM Cloud Pak for Multicloud Management Security Services
CVEID:CVE-2022-31512
**DESCRIPTION:**flask-mvc could allow a remote attacker to traverse directories on the system, caused by the Flask send_file function being used unsafely. An attacker could send a specially-crafted URL request containing “dot dot” sequences (/…/) to view arbitrary files on the system or cause a denial of service.
CVSS Base score: 9.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/231110 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L)
CVEID:CVE-2022-31504
**DESCRIPTION:**BaiduWenkuSpider_flaskWeb could allow a remote attacker to traverse directories on the system, caused by the Flask send_file function being used unsafely. An attacker could send a specially-crafted URL request containing “dot dot” sequences (/…/) to view arbitrary files on the system or cause a denial of service.
CVSS Base score: 9.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/231126 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L)
CVEID:CVE-2022-31527
**DESCRIPTION:**flask-file-server could allow a remote attacker to traverse directories on the system, caused by the Flask send_file function being used unsafely. An attacker could send a specially-crafted URL request containing “dot dot” sequences (/…/) to view arbitrary files on the system or cause a denial of service.
CVSS Base score: 9.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/231055 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L)
CVEID:CVE-2022-32148
**DESCRIPTION:**Golang Go could allow a remote attacker to obtain sensitive information, caused by improper exposure of client IP addresses in net/http. By calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for the X-Forwarded-For header, an attacker could exploit this vulnerability to obtain the client IP address information, and use this information to launch further attacks against the affected system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/233148 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Affected Product(s) | Version(s) |
---|---|
IBM Cloud Pak for Multicloud Management Security Services | 2.2 |
IBM Cloud Pak for Multicloud Management Security Services | 2.3 |
Upgrade to IBM Cloud Pak for Multicloud Management 2.3 Fix Pack 6 by following the instructions in
<https://www.ibm.com/docs/en/cloud-paks/cp-management/2.3.x?topic=upgrade-upgrading-fix-pack-6>
None
Vendor | Product | Version | CPE |
---|---|---|---|
ibm | cloud_pak_for_multicloud_management | 2.2 | cpe:2.3:a:ibm:cloud_pak_for_multicloud_management:2.2:*:*:*:*:*:*:* |
ibm | cloud_pak_for_multicloud_management | 2.3 | cpe:2.3:a:ibm:cloud_pak_for_multicloud_management:2.3:*:*:*:*:*:*:* |
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
EPSS
Percentile
67.9%