CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
AI Score
Confidence
High
IBM App Connect Enterprise is vulnerable to a local authenticated attack and denial of service due to Microsoft Azure Identity Libraries and Microsoft Authentication Library and gRPC on Node.js. This bulletin identifies the steps to take to address the vulnerability.
CVEID:CVE-2024-35255
**DESCRIPTION:**Microsoft Azure Identity Libraries and Microsoft Authentication Library could allow a local authenticated attacker to gain elevated privileges on the system. By sending a specially crafted request, an attacker could exploit this vulnerability to elevate privileges and read any file on the file system with SYSTEM access permissions.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/293960 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
CVEID:CVE-2024-37168
**DESCRIPTION:**gRPC on Node.js is vulnerable to a denial of service, caused by a flaw with memory allocation with excessive size value. By sending specially crafted messages, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/294632 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Affected Product(s) | Version(s) |
---|---|
IBM App Connect Enterprise | 12.0.1.0 - 12.0.12.3 |
IBM strongly recommends addressing the vulnerability/vulnerabilities now by applying the appropriate fix to IBM App Connect Enterprise
Affected Product(s)
|
Version(s)
| APAR|
Remediation / Fixes
—|—|—|—
IBM App Connect Enterprise| 12.0.1.0 - 12.0.12.3| IT46518|
The APAR (IT46518) is available from
IBM App Connect Enterprise v12- Fix Pack Release 12.0.12.4
None
Vendor | Product | Version | CPE |
---|---|---|---|
ibm | app_connect_enterprise | * | cpe:2.3:a:ibm:app_connect_enterprise:*:*:*:*:*:*:*:* |
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
AI Score
Confidence
High