CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS
Percentile
36.5%
IBM Edge Application Manager 4.5 has resolved the vulnerability.
CVEID:CVE-2022-24772
**DESCRIPTION:**Node.js node-forge module could allow a remote attacker to bypass security restrictions, caused by improper signature verification when checking for tailing garbage bytes after decoding a DigestInfo ASN.1 structure. By sending a specially-crafted request with garbage data, an attacker could exploit this vulnerability to forge a signature when a low public exponent is being used.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/222173 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
CVEID:CVE-2022-24771
**DESCRIPTION:**Node.js node-forge module could allow a remote attacker to bypass security restrictions, caused by improper signature verification when checking the digestAlgorithm structure. By using a specially-crafted structure to steal padding bytes and uses unchecked portion of the PKCS#1 encoded message, an attacker could exploit this vulnerability to forge a signature when a low public exponent is being used.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/222172 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
CVEID:CVE-2022-0122
**DESCRIPTION:**Node.js node-forge could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability. An attacker could exploit this vulnerability to redirect a victim to arbitrary Web sites.
CVSS Base score: 7.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/216833 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N)
CVEID:CVE-2022-24773
**DESCRIPTION:**Node.js node-forge module could allow a remote attacker to bypass security restrictions, caused by improper signature verification when checking DigestInfo for a proper ASN.1 structure. By using a specially-crafted signature with invalid structures but a valid digest, an attacker could exploit this vulnerability to bypass signature verification.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/222174 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
**IBM X-Force ID:**217313
**DESCRIPTION:**Nodejs node-forge module could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a prototype pollution flaw. By adding or modifying properties of Object.prototype using a proto or constructor payload, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system.
CVSS Base score: 6.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/217313 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)
Affected Product(s) | Version(s) |
---|---|
IBM Edge Application Manager | 4.4 |
IBM Edge Application Manager | 4.3 |
The fix/upgrade is a set of docker images, that will automatically be pulled and deployed from both dockerhub and the IBM Entitled Registry.
None
Vendor | Product | Version | CPE |
---|---|---|---|
ibm | edge_application_manager | 4.3 | cpe:2.3:a:ibm:edge_application_manager:4.3:*:*:*:*:*:*:* |
ibm | edge_application_manager | 4.4 | cpe:2.3:a:ibm:edge_application_manager:4.4:*:*:*:*:*:*:* |
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS
Percentile
36.5%