CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
95.9%
In addition to many updates of open source packages, the following security vulnerabilities are addressed with IBM Cloud Pak for Business Automation 21.0.3-IF011 and 22.0.1-IF001.
CVEID:CVE-2022-33987
**DESCRIPTION:**Node.js got module could allow a remote attacker to bypass security restrictions, caused by an unspecified. By sending a specially-crafted request, an attacker could exploit this vulnerability to perform a redirect to a UNIX socket.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/229246 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVEID:CVE-2021-23369
**DESCRIPTION:**Node.js handlebars module could allow a remote attacker to execute arbitrary code on the system, caused by a flaw when selecting certain compiling options to compile templates coming from an untrusted source… By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 4.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/199768 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)
CVEID:CVE-2021-23383
**DESCRIPTION:**handlebars could allow a remote attacker to execute arbitrary code on the system, caused by prototype pollution when selecting certain compiling options to compile templates coming from an untrusted source. By sending a a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 8.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/201205 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID:CVE-2021-23450
**DESCRIPTION:**Dojo could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution in the setObject function. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/216463 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID:CVE-2020-5258
**DESCRIPTION:**Dojo dojo could allow a remote attacker to inject arbitrary code on the system, caused by a prototype pollution flaw. By injecting other values, an attacker could exploit this vulnerability to overwrite, or pollute, a JavaScript application object prototype of the base object.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/177751 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
CVEID:CVE-2018-1000665
**DESCRIPTION:**Dojo Objective Harness (DOH) is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by unit.html, testsDOH/_base/loader/i18n-exhaustive/i18n-test/unit.html and testsDOH/_base/i18nExhaustive.js. A remote attacker could exploit this vulnerability to execute script in a victim’s Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/150526 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
CVEID:CVE-2018-5673
**DESCRIPTION:**Booking-calendar plugin for WordPress is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input by the wp-admin/admin.php script. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/137693 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)
CVEID:CVE-2022-22475
**DESCRIPTION:**IBM WebSphere Application Server Liberty and Open Liberty 17.0.0.3 through 22.0.0.5 are vulnerable to identity spoofing by an authenticated user. IBM X-Force ID: 225603.
CVSS Base score: 7.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/225603 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L)
CVEID:CVE-2020-36518
**DESCRIPTION:**FasterXML jackson-databind is vulnerable to a denial of service, caused by a Java StackOverflow exception. By using a large depth of nested objects, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/222319 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2018-25031
**DESCRIPTION:**swagger-ui could allow a remote attacker to conduct spoofing attacks. By persuading a victim to open a specially-crafted URL, an attacker could exploit this vulnerability to display remote OpenAPI definitions.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/217346 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
CVEID:CVE-2022-0778
**DESCRIPTION:**OpenSSL is vulnerable to a denial of service, caused by a flaw in the BN_mod_sqrt() function when parsing certificates. By using a specially-crafted certificate with invalid explicit curve parameters, a remote attacker could exploit this vulnerability to cause an infinite loop, and results in a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/221911 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Affected Product(s) | Version(s) | Status |
---|
IBM Cloud Pak for Business Automation
| V22.0.1| affected
IBM Cloud Pak for Business Automation| V21.0.3 - V21.0.3-IF010| affected
IBM Cloud Pak for Business Automation|
V21.0.2 - V21.0.2-IF012 and later fixes
V21.0.1 - V21.0.1-IF007 and later fixes
V20.0.1 - V20.0.3 and later fixes
V19.0.1 - V19.0.3 and later fixes
V18.0.0 - V18.0.2 and later fixes
| affected
Any open source library may be included in one or more sub-components of IBM Cloud Pak for Business Automation. Open source updates are not always synchronized across all components. The CVEs in this bulletin are specifically addressed by
CVE ID | Addressed in component |
---|---|
CVE-2022-33987 | Business Automation Application component |
CVE-2022-22475 | Multiple components building upon a shared WebSphere Liberty base image |
CVE-2020-36518 | Business Automation Workflow component |
Workflow Process Services component | |
CVE-2021-23450 | |
CVE-2020-5258 | |
CVE-2018-1000665 | |
CVE-2018-5673 | |
CVE-2018-25031 | |
CVE-2021-23369 | |
CVE-2021-23383 | Business Automation Studio component |
Business Automation Workflow component | |
Workflow Process Services component | |
CVE-2022-0778 | Multiple components building upon a shared node.js base image |
Affected Product(s) | Version(s) | Remediation / Fix |
---|---|---|
IBM Cloud Pak for Business Automation | V22.0.1 | Apply security fix 22.0.1-IF001 |
IBM Cloud Pak for Business Automation | V21.0.3 - V21.0.3-IF010 | Apply security fix 21.0.3-IF011 or upgrade to 22.0.1-IF001 |
IBM Cloud Pak for Business Automation | V21.0.1 - V21.0.1-IF008 | |
V20.0.1 - V20.0.3 | ||
V19.0.1 - V19.0.3 | ||
V18.0.0 - V18.0.2 | Upgrade to 21.0.3-IF011 or 22.0.1-IF001 |
None
Vendor | Product | Version | CPE |
---|---|---|---|
ibm | cloud_pak_for_automation | 18.0.0 | cpe:2.3:a:ibm:cloud_pak_for_automation:18.0.0:*:*:*:*:*:*:* |
ibm | cloud_pak_for_automation | 18.0.1 | cpe:2.3:a:ibm:cloud_pak_for_automation:18.0.1:*:*:*:*:*:*:* |
ibm | cloud_pak_for_automation | 18.0.2 | cpe:2.3:a:ibm:cloud_pak_for_automation:18.0.2:*:*:*:*:*:*:* |
ibm | cloud_pak_for_automation | 19.0.1 | cpe:2.3:a:ibm:cloud_pak_for_automation:19.0.1:*:*:*:*:*:*:* |
ibm | cloud_pak_for_automation | 19.0.2 | cpe:2.3:a:ibm:cloud_pak_for_automation:19.0.2:*:*:*:*:*:*:* |
ibm | cloud_pak_for_automation | 19.0.3 | cpe:2.3:a:ibm:cloud_pak_for_automation:19.0.3:*:*:*:*:*:*:* |
ibm | cloud_pak_for_automation | 20.0.1 | cpe:2.3:a:ibm:cloud_pak_for_automation:20.0.1:*:*:*:*:*:*:* |
ibm | cloud_pak_for_automation | 20.0.2 | cpe:2.3:a:ibm:cloud_pak_for_automation:20.0.2:*:*:*:*:*:*:* |
ibm | cloud_pak_for_automation | 20.0.3 | cpe:2.3:a:ibm:cloud_pak_for_automation:20.0.3:*:*:*:*:*:*:* |
ibm | cloud_pak_for_automation | 21.0.1 | cpe:2.3:a:ibm:cloud_pak_for_automation:21.0.1:*:*:*:*:*:*:* |
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
95.9%