Lucene search

IBM75F4A3F6DF6BE10114600BBEC9D7148BFAD776EA6E07E36D662CFBD9514BE634

HistoryJun 27, 2022 - 5:10 p.m.

Security Bulletin: Vulnerabilities in Node.js affect IBM App Connect Enterprise v11, v12 & IBM Integration Bus (CVE-2020-7608)

2022-06-2717:10:35

www.ibm.com

4.6 Medium

CVSS2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:P/I:P/A:P

5.3 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

0.0004 Low

EPSS

Percentile

12.8%

JSON

Summary

IBM App Connect Enterprise ships with Node.js for which vulnerabilities were reported and have been addressed. Vulnerability details are listed below.

Vulnerability Details

CVEID:CVE-2020-7608
**DESCRIPTION:**Node.js yargs-parser module could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution flaw. By adding or modifying properties of Object.prototype using a proto payload, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/178132 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

IBM App Connect Enterprise V11 , V11.0.0.0 - V11.0.0.13

IBM App Connect Enterprise V12 , V12.0.1.0

IBM Integration Bus v10, 10.0.0.0 - V10.0.0.26

Remediation/Fixes

Product

VRMF

| APAR|

Remediation / Fix

—|—|—|—
IBM App Connect Enterprise v12| V12.0.1.0| IT37753|

Interim fix for APAR is available at

IBM Fix Central

IBM App Connect Enterprise v11| V11.0.0.0 - V11.0.0.13| IT37753|

The APAR is available in fix pack
11.0.0.14

IBM Integration Bus V10| V10.0.0.0 - V10.0.0.26| IT37753|

The APAR is available in fix pack

10.0.0.26

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmibm_integration_bus_v10\,Match10.0.0.0

CPENameOperatorVersion
ibm integration bus v10,eq10.0.0.0

CPE	Name	Operator	Version
	ibm integration bus v10,	eq	10.0.0.0

4.6 Medium

CVSS2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:P/I:P/A:P

5.3 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

0.0004 Low

EPSS

Percentile

12.8%

JSON

Related for 75F4A3F6DF6BE10114600BBEC9D7148BFAD776EA6E07E36D662CFBD9514BE634