Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM73B9C9A58161BBF31A6FE5E117E77AD152FFE9797D38D94774D9ACF4D6BF8C2B
HistoryMay 17, 2023 - 7:55 p.m.

Security Bulletin: IBM InfoSphere Information Server is affected by multiple vulnerabilities in Node.js (CVE-2022-0235,CVE-2020-15168)

2023-05-1719:55:11
www.ibm.com
12
ibm infosphere information server
node.js
vulnerabilities
cve-2022-0235
cve-2020-15168
remediation
version 11.7

5.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.004 Low

EPSS

Percentile

72.2%

JSON

Summary

Multiple vulnerabilities in Node.js used by InfoSphere Information Server were addressed.

Vulnerability Details

CVEID:CVE-2022-0235
**DESCRIPTION:**Node.js node-fetch could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw when fetching a remote url with Cookie. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/217758 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2020-15168
**DESCRIPTION:**Node.js node-fetch module is vulnerable to a denial of service, caused by the failure to honor the size option after following a redirect. By using a specially-crafted file, a remote attacker could exploit this vulnerability to consume excessive resource on the system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/188155 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
InfoSphere Information Server 11.7

Remediation/Fixes

Product VRMF APAR Remediation
InfoSphere Information Server, InfoSphere Information Server on Cloud 11.7 DT195852 --Apply IBM InfoSphere Information Server version 11.7.1.0
--Apply InfoSphere Information Server version 11.7.1.4
--Apply InfoSphere Information Server 11.7.1.4 Service pack 1

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibminfosphere_information_serverMatch11.7

Related

ibm 31
cvelist 2
github 2
ubuntucve 2
nodejs 1
cve 2
redhatcve 2
osv 8
veracode 2
prion 2
nvd 2
debiancve 2
openvas 11
debian 1
huntr 1
ubuntu 1
nessus 19
suse 4
redhat 17
almalinux 1
oraclelinux 1
rocky 1
ics 1
ibm
ibm
Security Bulletin:Multiple Vulnerabilities found in Turf.js which is shipped with IBM® Intelligent Operations Center(CVE-2020-15168, CVE-2022-0235)
2023-09-05 12:46:26
Security Bulletin: Vulnerabilities in Node.js affect IBM App Connect Enterprise (CVE-2020-15168)
2021-01-05 12:36:25
Security Bulletin: IBM Cloud Transformation Advisor is affected by Node.js vulnerability
2021-03-30 19:24:48
cvelist
cvelist
CVE-2020-15168 File size limit bypass in node-fetch
2020-09-10 18:25:13
CVE-2022-0235 Exposure of Sensitive Information to an Unauthorized Actor in node-fetch/node-fetch
2022-01-16 00:00:00
github
github
The `size` option isn't honored after following a redirect in node-fetch
2020-09-10 17:46:21
node-fetch forwards secure headers to untrusted sites
2022-01-21 23:55:52
ubuntucve
ubuntucve
CVE-2020-15168
2020-09-10 00:00:00
CVE-2022-0235
2022-01-16 00:00:00
nodejs
nodejs
Denial of Service
2020-09-10 17:55:53
cve
cve
CVE-2020-15168
2020-09-10 19:15:13
CVE-2022-0235
2022-01-16 17:15:07
redhatcve
redhatcve
CVE-2020-15168
2020-09-24 10:46:39
CVE-2022-0235
2022-05-07 13:58:10
osv
osv
CVE-2020-15168
2020-09-10 19:15:13
The `size` option isn't honored after following a redirect in node-fetch
2020-09-10 17:46:21
CVE-2022-0235
2022-01-16 17:15:07
veracode
veracode
Denial Of Service (DoS)
2020-09-11 03:20:47
Information Disclosure
2022-01-17 09:09:26
prion
prion
Design/Logic Flaw
2020-09-10 19:15:00
Design/Logic Flaw
2022-01-16 17:15:00
nvd
nvd
CVE-2020-15168
2020-09-10 19:15:13
CVE-2022-0235
2022-01-16 17:15:07
debiancve
debiancve
CVE-2020-15168
2020-09-10 19:15:13
CVE-2022-0235
2022-01-16 17:15:07
openvas
openvas
Debian: Security Advisory (DLA-3222-1)
2022-12-05 00:00:00
Ubuntu: Security Advisory (USN-6158-1)
2023-06-14 00:00:00
SUSE: Security Advisory (SUSE-SU-2022:1466-1)
2022-04-29 00:00:00
debian
debian
[SECURITY] [DLA 3222-1] node-fetch security update
2022-12-05 00:22:45
huntr
huntr
Exposure of Sensitive Information to an Unauthorized Actor in node-fetch/node-fetch
2022-01-05 19:40:17
ubuntu
ubuntu
Node Fetch vulnerability
2023-06-13 00:00:00
nessus
nessus
RHEL 8 : node-fetch (Unpatched Vulnerability)
2024-05-11 00:00:00
Debian DLA-3222-1 : node-fetch - LTS security update
2022-12-05 00:00:00
Ubuntu 18.04 ESM / 20.04 LTS : Node Fetch vulnerability (USN-6158-1)
2023-06-13 00:00:00
suse
suse
Security update for nodejs8 (moderate)
2022-05-17 00:00:00
Security update for nodejs12 (important)
2022-04-28 00:00:00
Security update for nodejs14 (important)
2022-04-28 00:00:00
redhat
redhat
(RHSA-2023:0050) Moderate: nodejs:14 security, bug fix, and enhancement update
2023-01-09 14:24:14
(RHSA-2023:0612) Moderate: rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon security update
2023-02-06 19:29:10
(RHSA-2022:8524) Important: Red Hat Data Grid 8.4.0 security update
2022-11-17 13:38:03
almalinux
almalinux
Moderate: nodejs:14 security, bug fix, and enhancement update
2023-01-09 00:00:00
oraclelinux
oraclelinux
nodejs:14 security, bug fix, and enhancement update
2023-01-09 00:00:00
rocky
rocky
nodejs:14 security, bug fix, and enhancement update
2023-01-09 14:24:14
ics
ics
Siemens SINEC INS
2022-09-15 12:00:00

5.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.004 Low

EPSS

Percentile

72.2%

JSON
Related for 73B9C9A58161BBF31A6FE5E117E77AD152FFE9797D38D94774D9ACF4D6BF8C2B
ibm31cvelist2github2ubuntucve2nodejs1cve2redhatcve2osv8veracode2prion2nvd2debiancve2openvas11debian1huntr1ubuntu1nessus19suse4redhat17almalinux1oraclelinux1rocky1ics1