IBMD3814876D8B534E9D440C9C4B83F548688EBDCC034230C25B43E0961F62F5E39Security Bulletin: IBM Event Streams is affected by a vulnerability in Node.js Request package (CVE-2023-28155)
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS
Percentile
42.3%
Summary
A vulnerability in Node.js Request package through 2.88.1 affects the Node.js component that is used by IBM Event Streams (CVE-2023-28155). This vulnerability has been addressed.
Vulnerability Details
CVEID:CVE-2023-28155
**DESCRIPTION:**Node.js Request module is vulnerable to server-side request forgery, caused by a cross-protocol redirect bypass flaw. By sending a specially crafted request, an attacker could exploit this vulnerability to conduct SSRF attack.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/250386 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM Event Streams | 10.0.0 - 11.2.1 |
Remediation/Fixes
IBM strongly recommends addressing the vulnerability now by upgrading
Upgrade to IBM Event Streams 11.2.2 by following the <https://ibm.github.io/event-automation/es/installing/upgrading/> documentation.
Workarounds and Mitigations
None
Affected configurations
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS
Percentile
42.3%