Lucene search

IBM60795345B25079AEE970D66AF89BB479905EDAC1E6B9D4A7B40402702463E9EB

HistoryMar 02, 2023 - 8:47 p.m.

Security Bulletin: There is a vulnerability in Node.js used IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2022-21681, CVE-2022-21680)

2023-03-0220:47:05

www.ibm.com

node.js

ibm maximo manage

vulnerability

denial of service

cve-2022-21681

cve-2022-21680

ibm maximo application suite

patch

fix

update

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.004

Percentile

72.4%

JSON

Summary

There is a vulnerability in Node.js used by IBM Maximo Manage application in IBM Maximo Application Suite.

Vulnerability Details

CVEID:CVE-2022-21681
**DESCRIPTION:**Node.js marked module is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in inline.reflinkSearch. By sending a specially-crafted regex input, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/217320 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2022-21680
**DESCRIPTION:**Node.js marked module is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in block.def. By sending a specially-crafted regex input, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/217319 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Product versions affected:

Affected Product(s)	Version(s)
Maximo Manage Application in IBM Maximo Application Suite	MAS 8.8-Manage 8.4

Remediation/Fixes

For IBM Maximo Manage application in IBM Maximo Application Suite:

MAS	Manage Patch Fix or Release
8.8	8.4.6 or latest (available from the Catalog under Update Available)
8.9	8.5 or latest (available from the Catalog under Update Available)

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmmaximo_application_suiteMatch8.8.0

VendorProductVersionCPE
ibmmaximo_application_suite8.8.0cpe:2.3:a:ibm:maximo_application_suite:8.8.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	maximo_application_suite	8.8.0	cpe:2.3:a:ibm:maximo_application_suite:8.8.0:::::::*

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.004

Percentile

72.4%

JSON

Related for 60795345B25079AEE970D66AF89BB479905EDAC1E6B9D4A7B40402702463E9EB