Lucene search

IBM74F535A8CF66E38D33F2349CEE26ACB06F03ED8BAAE826CA354CD7ABE0CC3923

HistoryJun 07, 2023 - 3:44 p.m.

Security Bulletin: Multiple vulnerabilities in golang affect IBM Db2® REST

2023-06-0715:44:22

www.ibm.com

ibm db2 rest

golang vulnerabilities

html injection

upgrade

ibm cloud container registry

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.003

Percentile

65.6%

JSON

Summary

IBM Db2® REST is affected by multiple vulnerabilities found in Golang. IBM has addressed the vulnerabilities.

Vulnerability Details

CVEID:CVE-2023-24540
**DESCRIPTION:**Go is vulnerable to HTML injection. A remote attacker could inject malicious HTML code into a template containing whitespace characters outside of the character set “\t\n\f\r\u0020\u2028\u2029”, which when viewed, would execute in the victim’s Web browser within the security context of the hosting site.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/256132 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2023-29400
**DESCRIPTION:**Go is vulnerable to HTML injection. A remote attacker could inject malicious HTML code into the templates, which when parsed, would execute in the victim’s Web browser within the security context of the hosting site.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/255427 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

CVEID:CVE-2023-24539
**DESCRIPTION:**Go is vulnerable to HTML injection. A remote attacker could inject malicious HTML code into a template containing multiple actions separated by a ‘/’ character, which when viewed, would execute in the victim’s Web browser within the security context of the hosting site.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/256136 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

Affected Products and Versions

All platforms of the following IBM® Db2® REST levels are affected:

Affected Product(s)	Version(s)
Db2 Rest

1.0.0.121-amd64-1.0.0.268-amd64

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now by upgrading to the latest IBM® Db2® REST release containing the fix for these issues.

Product(s)	Fixed in Version(s)
Db2 REST

1.0.0.276-amd64

latest-amd64

Follow the instructions below to download IBM Db2 REST from the IBM Cloud Container Registry.

<https://www.ibm.com/docs/en/db2/11.5?topic=endpoints-downloading-rest-service>

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmdb2_for_linux\,_unix_and_windowsMatchany

VendorProductVersionCPE
ibmdb2_for_linux\,_unix_and_windowsanycpe:2.3:a:ibm:db2_for_linux\,_unix_and_windows:any:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	db2_for_linux\,_unix_and_windows	any	cpe:2.3:a:ibm:db2_for_linux\,_unix_and_windows:any:::::::*

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.003

Percentile

65.6%

JSON

Related for 74F535A8CF66E38D33F2349CEE26ACB06F03ED8BAAE826CA354CD7ABE0CC3923