CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
EPSS
Percentile
50.0%
Pulsar is used by IBM Tivoli Netcool/OMNIbus Transport Module Common Integration Library. [CVE-2023-30428, CVE-2023-30429, CVE-2023-37579 and CVE-2023-31007] The below vulnerabilities have been addressed.
CVEID:CVE-2023-30428
**DESCRIPTION:**Apache Pulsar could allow a remote attacker to bypass security restrictions, caused by improper authorization validation for Rest Producer. By sending a specially crafted request, an attacker could exploit this vulnerability to produce garbage messages to any topic in the cluster or produce messages to the topic level policies topic for other tenants and influence topic settings.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/260296 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
CVEID:CVE-2023-30429
**DESCRIPTION:**Apache Pulsar could allow a remote authenticated attacker to gain elevated privileges on the system, caused by improper authorization validation for Function Worker when using mTLS Authentication through Pulsar Proxy. By sending a specially crafted request, an authenticated attacker could exploit this vulnerability to gain elevated privileges.
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/260295 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
CVEID:CVE-2023-37579
**DESCRIPTION:**Apache Pulsar could allow a remote authenticated attacker to obtain sensitive information, caused by improper authorization validation in the Function Worker. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain Sink/Source Credentials information, and use this information to launch further attacks against the affected system.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/260292 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
CVEID:CVE-2023-31007
**DESCRIPTION:**Apache Pulsar could allow a remote attacker to bypass security restrictions, caused by a flaw with broker does not always disconnect client when authentication data expires. By sending a specially crafted request, an attacker could exploit this vulnerability to bypass access restrictions.
CVSS Base score: 9.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/260294 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)
Affected Product(s) | Version(s) |
---|
Transport Module Common Integration Library
|
common-transportmodule-29_0 up to and including common-transportmodule-37_0
Product(s)
|
Version(s)
|
Remediation / First Fix
—|—|—
Transport Module Common Integration Library
|
common-transportmodule-38_0
|
Refer to release notice for the part number of the new package and instructions for the upgrade
None
Vendor | Product | Version | CPE |
---|---|---|---|
ibm | tivoli_netcool_webtop | any | cpe:2.3:a:ibm:tivoli_netcool_webtop:any:*:*:*:*:*:*:* |
ibm | tivoli_netcool\/omnibus | 8.1.0 | cpe:2.3:a:ibm:tivoli_netcool\/omnibus:8.1.0:*:*:*:*:*:*:* |
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
EPSS
Percentile
50.0%