IBM8D701AFF7E3C85344E0EF98BD2577D34695ED39B5D5A3618497F038D338E0139Security Bulletin: IBM Event Streams is affected by a vulnerability in Express.js Express (CVE-2022-24999)
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.014 Low
EPSS
Percentile
86.6%
Summary
This security vulnerability affects qs package (before 6.10.3) that is used by the IBM Event Streams UI component.
Vulnerability Details
CVEID:CVE-2022-24999
**DESCRIPTION:**Express.js Express is vulnerable to a denial of service, caused by a prototype pollution flaw in qs. By adding or modifying properties of Object.prototype using a proto or constructor payload, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/240815 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM Event Streams | 10.0.0, 10.1.0, 10.2.0-eus, 10.2.1-eus, 10.3.0, 10.3.1, 10.4.0, 10.5.0, 11.0.0, 11.0.1, 11.0.2, 11.0.3, 11.0.4, 11.1.0, 11.1.1, 11.1.2, 11.1.3 |
Remediation/Fixes
IBM strongly recommends addressing the vulnerability now by upgrading
IBM Event Streams (Continuous Delivery)
- Upgrade to IBM Event Streams 11.1.4 by following the upgrading and migrating documentation.
Workarounds and Mitigations
None
Affected configurations
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.014 Low
EPSS
Percentile
86.6%