Lucene search

IBMC2F3FDC146ED347022553E7579A0F4758CD32590EB8456782F48EF87D9775378

HistoryOct 11, 2023 - 5:05 a.m.

Security Bulletin: IBM Security Verify Governance - Identity Manager (Virtual Appliance) is affected by multiple vulnerabilities (CVE-2023-35903, CVE-2023-35018, CVE-2023-35013, X-Force ID 220945)

2023-10-1105:05:24

www.ibm.com

ibm security verify governance

identity manager

virtual appliance

arbitrary file upload

privileges escalation

sensitive information leak

cve-2023-35903

cve-2023-35018

cve-2023-35013

x-force id 220945

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

25.4%

JSON

Summary

IBM Security Verify Governance - Identity Manager (Virtual Appliance) is vulnerable to arbitrary file upload, escalation of privileges, and sensitive information leak. These issues have been addressed in this update.

Vulnerability Details

CVEID:CVE-2023-35903
**DESCRIPTION:**IBM Security Verify Governance could allow a privileged use to upload arbitrary files due to improper file validation.
CVSS Base score: 3.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/259382 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:L)

CVEID:CVE-2023-35018
**DESCRIPTION:**IBM Security Verify Governance, Identity Manager could allow a local user to escalate their privileges due to improper access controls.
CVSS Base score: 7.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/257779 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2023-35013
**DESCRIPTION:**IBM Security Verify Governance, Identity Manager could allow a local privileged user to obtain sensitive information from source code.
CVSS Base score: 2.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/257769 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N)

**IBM X-Force ID:**220945
**DESCRIPTION:**Node.js utile module could allow a remote attacker to obtain sensitive information, caused by an uninitialized buffer allocation issue. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information from uninitialized memory or to cause a denial of service condition.
CVSS Base score: 9.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/220945 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H)

Affected Products and Versions

Affected Product(s)	Version(s)

IBM Security Verify Governance -
Identity Manager virtual appliance component

| All prior to 10.0.2 Fixpack 0

Remediation/Fixes

IBM recommends customers update their systems promptly by downloading the following release:

Affected Product(s)	Version(s)	Fix Availability
IBM Security Verify Governance -
Identity Manager virtual appliance component	10.0.2

10.0.2.0-ISS-ISVG-IMVA-FP0000

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmsecurity_verify_governanceMatch10.0

CPENameOperatorVersion
ibm security verify governanceeq10.0

CPE	Name	Operator	Version
	ibm security verify governance	eq	10.0

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

25.4%

JSON

Related for C2F3FDC146ED347022553E7579A0F4758CD32590EB8456782F48EF87D9775378