CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS
Percentile
71.1%
The IBM Db2 Mirror for i GUI uses Chart.js for data presentation and charting features. The version of Chart.js used by IBM Db2 Mirror for i depends upon Moment.js which is vulnerable to CVE-2022-24785 as described in the vulnerability details section. IBM has addressed the vulnerability for IBM Db2 Mirror for i by upgrading to Chart.js 3.7.1 which no longer depends upon Moment.js.
CVEID:CVE-2022-24785
**DESCRIPTION:**Moment.js could allow a remote attacker to traverse directories on the system, caused by improper validation of user supplied input. An attacker could send a specially-crafted locale string containing “dot dot” sequences (/…/) to switch arbitrary moment locale.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/223451 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
Affected Product(s) | Version(s) |
---|---|
IBM Db2 Mirror for i | 7.5 |
IBM Db2 Mirror for i | 7.4 |
IBM strongly recommends addressing the vulnerability now.
The vulnerability can be fixed by applying a PTF to IBM i. Releases 7.5 and 7.4 of IBM Db2 Mirror for i are supported and will be fixed.
The PTF numbers containing the fix for this vulnerability are in the following table. IBM recommends installing the group PTF rather than the individual fix.
Affected Product(s)|Version(s)|
**Group PTF Number **and Minimum Level
for Remediation
| 5770-DBM PTF Number
for Remediation
—|—|—|—
IBM Db2 Mirror for i| 7.5| SF99951 level 1| SI79449
IBM Db2 Mirror for i| 7.4| SF99668 level 19| SI79448
None
Vendor | Product | Version | CPE |
---|---|---|---|
ibm | i | 7.4 | cpe:2.3:o:ibm:i:7.4:*:*:*:*:*:*:* |
ibm | i | 7.5 | cpe:2.3:o:ibm:i:7.5:*:*:*:*:*:*:* |
ibm | ibm_i_7.4 | 7.4 | cpe:2.3:a:ibm:ibm_i_7.4:7.4:*:*:*:*:*:*:* |
ibm | db2_mirror_for_i | 7.4 | cpe:2.3:a:ibm:db2_mirror_for_i:7.4:*:*:*:*:*:*:* |
ibm | db2_mirror_for_i | 7.5 | cpe:2.3:a:ibm:db2_mirror_for_i:7.5:*:*:*:*:*:*:* |
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS
Percentile
71.1%