Lucene search

IBM699DB686974ABCA52FB620795DAC7B047FFAA5656DE194976FF4A8DFB18DE2BA

HistoryOct 09, 2023 - 10:54 a.m.

Security Bulletin: Vulnerability in Node.js affects IBM Process Mining . CVE-2022-25883

2023-10-0910:54:25

www.ibm.com

node.js

ibm process mining

vulnerability

denial of service

cve-2022-25883

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.002

Percentile

53.0%

JSON

Summary

There is a vulnerability in Node.js that could allow a remote attacker to execute a denial of service on the system. The code is used by IBM Process Mining. This bulletin identifies the security fixes to apply to address the vulnerability.

Vulnerability Details

CVEID:CVE-2022-25883
**DESCRIPTION:**Node.js semver package is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in the new Range function. By providing specially crafted regex input, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/258647 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Process Mining

1.14.1, 1.14.0, 1.13.2, 1.13.1, 1.13.0, 1.12.0.5, 1.12.0.4

Remediation/Fixes

Remediation/Fixes guidance:

Product(s)	Version(s) number and/or range	Remediation/Fix/Instructions
IBM Process Mining

1.14.1, 1.14.0, 1.13.2, 1.13.1, 1.13.0, 1.12.0.5, 1.12.0.4

Upgrade to version 1.14.2

1.Login to PassPortAdvantage

2. Search for
M0FHQML
Process Mining 1.14.2 Server Multiplatform Multilingual

3. Download package

4. Follow install instructions

5. Repeat for M0FHRML Process Mining 1.14.2 Client Windows Multilingual

| |

Workarounds and Mitigations

Workarounds/Mitigation guidance:

None known

Affected configurations

Vulners

Node

ibmcloud_pak_for_automationMatch1.14.1

ibmcloud_pak_for_automationMatch1.14.0

ibmcloud_pak_for_automationMatch1.13.2

ibmcloud_pak_for_automationMatch1.13.1

ibmcloud_pak_for_automationMatch1.13.0

ibmcloud_pak_for_automationMatch1.12.0.5

ibmcloud_pak_for_automationMatch1.12.0.4

VendorProductVersionCPE
ibmcloud_pak_for_automation1.14.1cpe:2.3:a:ibm:cloud_pak_for_automation:1.14.1:*:*:*:*:*:*:*
ibmcloud_pak_for_automation1.14.0cpe:2.3:a:ibm:cloud_pak_for_automation:1.14.0:*:*:*:*:*:*:*
ibmcloud_pak_for_automation1.13.2cpe:2.3:a:ibm:cloud_pak_for_automation:1.13.2:*:*:*:*:*:*:*
ibmcloud_pak_for_automation1.13.1cpe:2.3:a:ibm:cloud_pak_for_automation:1.13.1:*:*:*:*:*:*:*
ibmcloud_pak_for_automation1.13.0cpe:2.3:a:ibm:cloud_pak_for_automation:1.13.0:*:*:*:*:*:*:*
ibmcloud_pak_for_automation1.12.0.5cpe:2.3:a:ibm:cloud_pak_for_automation:1.12.0.5:*:*:*:*:*:*:*
ibmcloud_pak_for_automation1.12.0.4cpe:2.3:a:ibm:cloud_pak_for_automation:1.12.0.4:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	cloud_pak_for_automation	1.14.1	cpe:2.3:a:ibm:cloud_pak_for_automation:1.14.1:::::::*
ibm	cloud_pak_for_automation	1.14.0	cpe:2.3:a:ibm:cloud_pak_for_automation:1.14.0:::::::*
ibm	cloud_pak_for_automation	1.13.2	cpe:2.3:a:ibm:cloud_pak_for_automation:1.13.2:::::::*
ibm	cloud_pak_for_automation	1.13.1	cpe:2.3:a:ibm:cloud_pak_for_automation:1.13.1:::::::*
ibm	cloud_pak_for_automation	1.13.0	cpe:2.3:a:ibm:cloud_pak_for_automation:1.13.0:::::::*
ibm	cloud_pak_for_automation	1.12.0.5	cpe:2.3:a:ibm:cloud_pak_for_automation:1.12.0.5:::::::*
ibm	cloud_pak_for_automation	1.12.0.4	cpe:2.3:a:ibm:cloud_pak_for_automation:1.12.0.4:::::::*