IBM9A01B9548670E364E102A05A5440EA2083289231F2B9983636DDCAAF51530373Security Bulletin: Vulnerabilities in Python affect PowerKVM (CVE-2013-5123, CVE-2014-8991)
EPSS
Percentile
53.4%
Summary
PowerKVM is affected by two vulnerabilities in Python. These vulnerabilities are now fixed.
Vulnerability Details
CVEID: CVE-2013-5123**
DESCRIPTION:** Python pip could allow a remote attacker to bypass security restrictions, caused by the implementation of the mirroring support without authentication checks. An attacker could exploit this vulnerability to download software over insecure links.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/106420 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVEID: CVE-2014-8991**
DESCRIPTION:** Python pip is vulnerable to a denial of service, caused by a predictable build directory. A local attacker could exploit this vulnerability to cause a denial of service.
CVSS Base Score: 2.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/98862 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:N/I:N/A:P)
Affected Products and Versions
PowerKVM 2.1
Remediation/Fixes
Fix is made available via Fix Central (https://ibm.biz/BdEnT8) in 2.1.1 Build 65.1 and all later 2.1.1 SP3 service builds and 2.1.1 fix packs. For systems currently running fix levels of PowerKVM prior to 2.1.1, please see <http://download4.boulder.ibm.com/sar/CMA/OSA/05e4c/0/README> for prerequisite fixes and instructions. Customers can also update from 2.1.1 (GA and later levels) by using “yum update”.
Workarounds and Mitigations
None
Related
EPSS
Percentile
53.4%