IBM Cloud Pak for Integration is vulnerable to multiple Node.js vulnerabilities with details below
CVEID:CVE-2021-22930
**DESCRIPTION:**Node.js could allow a remote attacker to bypass security restrictions, caused by a use-after-free on close http2 on stream canceling. An attacker could exploit this vulnerability to corrupt memory to change process behavior.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/206473 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
CVEID:CVE-2021-22921
**DESCRIPTION:**Node.js could allow a local attacker to gain elevated privileges on the system, caused by improper configuration of permissions in the installation directory. Under certain conditions. An attacker could exploit this vulnerability to perform PATH and DLL hijacking attacks.
CVSS Base score: 7.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/204785 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID:CVE-2021-22918
**DESCRIPTION:**Node.js is vulnerable to a denial of service, caused by an out-of-bounds read in the libuv’s uv__idna_toascii() function. By invoking the function using dns module’s lookup() function, a remote attacker could exploit this vulnerability to obtain sensitive information or cause a denial of service.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/204784 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L)
Affected Product(s) | Version(s) |
---|---|
Platform Navigator in IBM Cloud Pak for Integration (CP4I) | 2020.4.1 |
2021.1.1 | |
2021.2.1 | |
Asset Repository in IBM Cloud Pak for Integration (CP4I) | 2020.4.1 |
2021.1.1 | |
2021.2.1 |
Platform Navigator 2020.4.1 in****IBM Cloud Pak for Integration
Upgrade Platform Navigator 2020.4.1 to 2020.4.1-4-eus using the Operator upgrade process described in the IBM Documentation
<https://www.ibm.com/docs/en/cloud-paks/cp-integration/2020.4?topic=202041-upgrading-platform-navigator-component-deployment-interface>
Platform Navigator version 2021.1 or 2021.2 in IBM Cloud Pak for Integration
Upgrade Asset Repository to 2021.3.1 using the Operator upgrade process described in the IBM Documentation
**
Asset Repository version 2020.4.1 in IBM Cloud Pak for Integration**
Upgrade Asset Repository to 2020.4.1-3-eus using the Operator upgrade process described in the IBM Documentation
Asset Repository version 2021.1 or 2021.2 in IBM Cloud Pak for Integration
Upgrade Asset Repository to 2021.2.1-1 using the Operator upgrade process described in the IBM Documentation
None