CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
54.3%
Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to multiple vulnerabilities in Node.js with details below.
CVEID:CVE-2023-23918
**DESCRIPTION:**Node.js could allow a remote authenticated attacker to bypass security restrictions, caused by a flaw when enable the experimental permissions option with --experimental-policy. By sending a specially-crafted request using process.mainModule.require(), an attacker could exploit this vulnerability to bypass Permissions and access non authorized modules.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/247698 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N)
CVEID:CVE-2023-23920
**DESCRIPTION:**Node.js could allow a remote authenticated attacker to bypass security restrictions, caused by improper access control. By sending a specially-crafted request using ICU_DATA environment variable, an attacker could exploit this vulnerability to search and potentially load ICU data.
CVSS Base score: 2.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/247694 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N)
CVEID:CVE-2023-24807
**DESCRIPTION:**Node.js is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in the Headers.set() and Headers.append() methods in the fetch API. By sending a specially-crafted regex input, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/247695 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2023-23936
**DESCRIPTION:**Node.js is vulnerable to CRLF injection, caused by a flaw in the fetch API. By sending a specially-crafted HTTP response containing CRLF character sequences, a remote attacker could exploit this vulnerability to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning, session hijacking, HTTP response splitting or HTTP header injection.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/247696 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
CVEID:CVE-2023-23919
**DESCRIPTION:**Node.js is vulnerable to a denial of service, caused by not clear the OpenSSL error stack after operations. By sending specially-crafted cryptographic operations, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/247697 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
Affected Product(s) | Version(s) |
---|---|
Platform Navigator in IBM Cloud Pak for Integration (CP4I) | 2021.1.1 |
2021.2.1 | |
2021.4.1 | |
2022.2.1 | |
2022.4.1 | |
Automation Assets in IBM Cloud Pak for Integration (CP4I) | 2021.1.1 |
2021.2.1 | |
2021.4.1 | |
2022.2.1 |
Platform Navigator in IBM Cloud Pak for Integration
Upgrade Platform Navigator to either the LTS or CD version:
LTS: 2022.2.1-8 using the Operator upgrade process described in the IBM Documentation
<https://www.ibm.com/docs/en/cloud-paks/cp-integration/2022.2?topic=upgrading-platform-ui>
CD: 2022.4.1-3 using the Operator upgrade process described in the IBM Documentation
<https://www.ibm.com/docs/en/cloud-paks/cp-integration/2022.4?topic=upgrading-platform-ui>
Automation Assets version****in IBM Cloud Pak for Integration
Upgrade Automation Assets Operator to 2022.2.1-7 using the Operator upgrade process described in the IBM Documentation
None
Vendor | Product | Version | CPE |
---|---|---|---|
ibm | cloud_pak_for_security | 2021.1.12021.2.12021.4.12022.2.12022.4.1 | cpe:2.3:a:ibm:cloud_pak_for_security:2021.1.12021.2.12021.4.12022.2.12022.4.1:*:*:*:*:*:*:* |
ibm | cloud_pak_for_automation | 2021.1.12021.2.12021.4.12022.2.1 | cpe:2.3:a:ibm:cloud_pak_for_automation:2021.1.12021.2.12021.4.12022.2.1:*:*:*:*:*:*:* |
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
54.3%