Lucene search

IBM646517CB5902C532F3C6869677D964CE236D01A97699408BAD5E8273B7B55825

HistoryAug 01, 2024 - 6:47 p.m.

Security Bulletin: Vulnerabilities in Golang Go affect Cloud pak System [CVE-2023-39319, CVE-2023-39318]

2024-08-0118:47:05

www.ibm.com

golang go

ibm cloud pak system

cross-site scripting

html/template

cookie-based authentication

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

AI Score

7.2

Confidence

High

EPSS

0.001

Percentile

50.5%

JSON

Summary

Vulnerabilities in Golang Go affect Cloud Pak System Software.

Vulnerability Details

CVEID:CVE-2023-39319
**DESCRIPTION:**Golang Go is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the html/template package. A remote attacker could exploit this vulnerability using a specially crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/265942 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID:CVE-2023-39318
**DESCRIPTION:**Golang Go is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the html/template package. A remote attacker could exploit this vulnerability using a specially crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/265941 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

Remediation/Fixes

For unsupported versions the recommendation is to upgrade to supported version of the product.
This security bulletin applies to Cloud Pak System, Cloud Pak System Software, Cloud Pak System Software Suite.
IBM strongly recommends addressing the vulnerability now by applying the fix below.

For Cloud Pak System V2.3.0.1, V2.3.1.1, V2.3.2.0,
Upgrade to Cloud Pak System v2.3.3.7 and apply V2.3.3.7 Interim Fix 01 at IBM Fix Central.
information on upgrading here <https://www.ibm.com/support/pages/node/6982511>

For Cloud Pak System V2.3.3.7,
Apply Cloud Pak System V2.3.3.7 Interim Fix 01 at IBM Fix Central.

information on upgrading here <http://www.ibm.com/support/docview.wss?uid=ibm10887959>

For Cloud Pak System on Intel
Upgrade to Cloud Pak System v2.3.4.0 for Intel at IBM Fix Central
Information on upgrading here <http://www.ibm.com/support/docview.wss?uid=ibm10887959>

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmcloud_pak_systemMatch2.3

VendorProductVersionCPE
ibmcloud_pak_system2.3cpe:2.3:a:ibm:cloud_pak_system:2.3:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	cloud_pak_system	2.3	cpe:2.3:a:ibm:cloud_pak_system:2.3:::::::*

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

AI Score

7.2

Confidence

High

EPSS

0.001

Percentile

50.5%

JSON

Related for 646517CB5902C532F3C6869677D964CE236D01A97699408BAD5E8273B7B55825