CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
AI Score
Confidence
Low
EPSS
Percentile
41.2%
Golang compiler is used by IBM Cloud Pak for Data Scheduling to create the scheduler binaries. < CVE-2023-45283, CVE-2023-45284, CVE-2023-45285 >
CVEID:CVE-2023-45283
**DESCRIPTION:**Golang Go could allow a remote attacker to traverse directories on the system, caused by the failure to recognize paths with a ??\ prefix as a Root Local Device path prefix in the filepath and safefilepath package. An attacker could send a specially crafted URL request containing “dot dot” sequences (/…/) to view arbitrary files on the system.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/270990 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID:CVE-2023-45284
**DESCRIPTION:**Golang Go could provide weaker than expected security, caused by the failure to correctly detect reserved device names in some cases by the IsLocal function in the filepath package. An attacker could exploit this vulnerability to report “COM1”, and reserved names “COM” and “LPT” followed by superscript 1, 2, or 3 as local.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/270989 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVEID:CVE-2023-45285
**DESCRIPTION:**Golang Go could allow a remote attacker to obtain sensitive information, caused by a flaw when using go get to fetch a module with the “.git” suffix. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information from the insecure “git://” protocol, and use this information to launch further attacks against the affected system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/273323 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
Affected Product(s)|**Version(s)
**
—|—
IBM Cloud Pak for Data Scheduling| 4.6.4 - 4.8.2
IBM recommends addressing the vulnerability now.
Product(s) | **Version(s) number and/or range ** | Remediation/Fix/Instructions |
---|---|---|
IBM Cloud Pak for Data Scheduling | 4.6.4 - 4.8.2 | Follow the instructions to upgrade. |
Note: IBM Cloud Pak for Data Scheduling are bundled with IBM Cloud Pak for Data to provide advanced scheduling features
Workarounds/Mitigation guidance:
None
Vendor | Product | Version | CPE |
---|---|---|---|
ibm | cloud_pak_for_data | 4.8.4 | cpe:2.3:a:ibm:cloud_pak_for_data:4.8.4:*:*:*:*:*:*:* |
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
AI Score
Confidence
Low
EPSS
Percentile
41.2%