IBM399578D218F35FC9D6675721AF7C39D2DA55885F05A6050C33C7471B98FF567ASecurity Bulletin: Vulnerability in the Node.js jose module affects IBM Event Streams (CVE-2022-36083)
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
0.001 Low
EPSS
Percentile
42.0%
Summary
This security vulnerability affects the Node.js jose module that is used by IBM Event Streams.
Vulnerability Details
CVEID:CVE-2022-36083
**DESCRIPTION:**Node.js jose module is vulnerable to a denial of service, caused by improper input validation. By sending a specially-crafted request using the p2c JOSE Header Parameter, a remote attacker could exploit this vulnerability to consume unreasonable amount of CPU time, and results in a denial of service condition.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/235579 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM Event Streams |
10.0.0, 10.1.0, 10.2.0-eus, 10.2.1-eus, 10.3.0, 10.3.1, 10.4.0, 10.5.0, 11.0.0, 11.0.1, 11.0.2, 11.0.3
Remediation/Fixes
IBM strongly recommends addressing the vulnerability now by upgrading
Upgrade to IBM Event Streams 11.0.4 by following the upgrading and migrating documentation.
Workarounds and Mitigations
None
Affected configurations
Related
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
0.001 Low
EPSS
Percentile
42.0%