IBMCB3FF72AA5D827DB37EAE3CF02D02BD591F97B973ED6C1C36A853AD979EAE5CBSecurity Bulletin: IBM Cloud Pak for Data Scheduling is vulnerable to multiple vulnerabilities (CVE-2019-11236, CVE-2020-26137, CVE-2021-33503)
6.4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 High
AI Score
Confidence
High
0.004 Low
EPSS
Percentile
74.8%
Summary
Urllib is used by IBM Cloud Pak for Data Scheduling as part of the Ansible operator used for installation of the Scheduler.
Vulnerability Details
CVEID:CVE-2019-11236
**DESCRIPTION:**Python urllib3 is vulnerable to CRLF injection, caused by improper validation of user-supplied input by the request parameter. By sending a specially-crafted HTTP response containing CRLF character sequences, a remote attacker could exploit this vulnerability to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/159527 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVEID:CVE-2020-26137
**DESCRIPTION:**urllib3 is vulnerable to CRLF injection. By inserting CR and LF control characters in the first argument of putrequest(), a remote attacker could exploit this vulnerability to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/189426 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
CVEID:CVE-2021-33503
**DESCRIPTION:**urllib3 is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw due to catastrophic backtracking. By sending a specially-crafted URL request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/203109 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Affected Products and Versions
Affected Products/Versions guidance:
Affected Product(s)|**Version(s)
**
—|—
IBM Cloud Pak for Data Scheduling| 4.6.4 - 4.7.4
Remediation/Fixes
Remediation/Fixes guidance:
IBM recommends addressing the vulnerability now.
| Product(s) | **Version(s) number and/or range ** | Remediation/Fix/Instructions |
|---|---|---|
| IBM Cloud Pak for Data Scheduling | 4.6.4 - 4.7.4 | Download v4.8 and follow instructions |
Workarounds and Mitigations
Workarounds/Mitigation guidance:
None
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| ibm cloud pak for data | eq | 4.8.0 |
Related
6.4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 High
AI Score
Confidence
High
0.004 Low
EPSS
Percentile
74.8%