Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBME2CA1E7AD2646F35FD854E930E6AF030E58817DBF599A59E49719694B3B46D1F
HistoryFeb 06, 2021 - 12:02 a.m.

Security Bulletin: Multiple vulnerabilities affect IBM Cloud Pak for Automation

2021-02-0600:02:51
www.ibm.com
15
ibm cloud pak
automation
vulnerabilities
node.js
denial of service
clear text credentials
ssrf
xss
code injection

EPSS

0.338

Percentile

97.1%

JSON

Summary

The vulnerabilities are related to Node.js runtime and modules and other open source packages. Issues related to connection credentials written in clear in log files, in the event emitters and other component level connections, have been fixed.

Vulnerability Details

CVEID:CVE-2020-8277
**DESCRIPTION:**Node.js is vulnerable to a denial of service. By getting the application to resolve a DNS record with a larger number of responses, an attacker could exploit this vulnerability to trigger a DNS request for a host of their choice resulting in a denial of service.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/191755 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2021-20358
**DESCRIPTION:**IBM Business Automation Insights stores potentially sensitive information in clear text in API connection log files. This information could be obtained by a user with permissions to read log files.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/194965 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2020-28168
**DESCRIPTION:**Node.js axios module is vulnerable to server-side request forgery, caused by improper input validation. By providing a URL that responds with a redirect to a restricted host or IP address, an attacker could exploit this vulnerability to conduct SSRF attack to bypass a proxy.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/191660 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2019-10785
**DESCRIPTION:**Dojox is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the dojox.xmpp.util.xmlEncode. A remote attacker could exploit this vulnerability to execute script in a victim’s Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/176460 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID:CVE-2020-5259
**DESCRIPTION:**Dojo dojox could allow a remote attacker to inject arbitrary code on the system, caused by a prototype pollution flaw. By injecting other values, an attacker could exploit this vulnerability to overwrite, or pollute, a JavaScript application object prototype of the base object.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/177752 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

CVEID:CVE-2020-5258
**DESCRIPTION:**Dojo dojo could allow a remote attacker to inject arbitrary code on the system, caused by a prototype pollution flaw. By injecting other values, an attacker could exploit this vulnerability to overwrite, or pollute, a JavaScript application object prototype of the base object.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/177751 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

CVEID:CVE-2020-4051
**DESCRIPTION:**Dijit is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the Editor’s LinkDialog plugin. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/183740 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID:CVE-2021-20359
**DESCRIPTION:**Business Automation Application Designer Component stores potentially sensitive information in log files that could be obtained by an unauthorized user.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/194966 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2020-7774
**DESCRIPTION:**Node.js y18n module could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution flaw. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/191999 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Cloud Pak for Automation 20.0.3
IBM Cloud Pak for Automation 20.0.2 IF002

Remediation/Fixes

Upgrade to IBM Cloud Pak for Automation 20.0.3 IF002

Workarounds and Mitigations

None

Related

ibm 55
debian 2
nessus 28
mageia 2
openvas 15
osv 15
oraclelinux 1
almalinux 1
ubuntucve 6
prion 6
nvd 6
veracode 5
cvelist 6
redhatcve 4
debiancve 5
github 4
rocky 1
cve 7
githubexploit 3
redhat 2
nodejs 2
fedora 4
f5 1
cbl_mariner 2
altlinux 3
suse 2
photon 2
alpinelinux 2
freebsd 1
hackerone 1
gitlab 1
archlinux 1
ubuntu 1
gentoo 1
nodejsblog 1
ibm
ibm
Security Bulletin: Multiple vulnerabilities in dojo may affect IBM Business Automation Workflow and IBM Business Process Manager (BPM)
2021-02-04 20:32:50
Security Bulletin: IBM InfoSphere Information Server is affected by multiple vulnerabilities in Dojo Toolkit
2021-04-22 22:54:34
Security Bulletin: Mulitple vulnerabilities in Dojo dojox repo may affect IBM Storage Scale
2023-07-17 13:00:16
debian
debian
[SECURITY] [DLA 2139-1] dojo security update
2020-03-11 19:14:41
[SECURITY] [DLA 2127-1] dojo security update
2020-02-29 10:58:42
nessus
nessus
Debian DLA-2139-1 : dojo security update
2020-03-12 00:00:00
Oracle Linux 8 : nodejs:12 (ELSA-2020-5499)
2020-12-17 00:00:00
Debian DLA-2127-1 : dojo security update
2020-03-02 00:00:00
mageia
mageia
Updated dojo packages fix security vulnerability
2020-05-27 12:52:46
Updated dojo packages fix security vulnerability
2020-03-06 19:13:58
openvas
openvas
Mageia: Security Advisory (MGASA-2020-0232)
2022-01-28 00:00:00
Debian: Security Advisory (DLA-2139-1)
2020-03-18 00:00:00
Debian: Security Advisory (DLA-2127-1)
2020-03-01 00:00:00
osv
osv
dojo - security update
2020-03-11 00:00:00
XSS in dojox due to insufficient escape in dojox.xmpp.util.xmlEncode
2020-02-13 22:21:06
dojo - security update
2020-02-29 00:00:00
oraclelinux
oraclelinux
nodejs:12 security and bug fix update
2020-12-17 00:00:00
almalinux
almalinux
Moderate: nodejs:12 security and bug fix update
2020-12-15 16:03:21
ubuntucve
ubuntucve
CVE-2019-10785
2020-02-13 00:00:00
CVE-2020-28168
2020-11-06 00:00:00
CVE-2020-5258
2020-03-10 00:00:00
prion
prion
Cross site scripting
2020-02-13 17:15:00
Server side request forgery (ssrf)
2020-11-06 20:15:00
Design/Logic Flaw
2021-02-08 15:15:00
nvd
nvd
CVE-2019-10785
2020-02-13 17:15:29
CVE-2021-20358
2021-02-08 15:15:12
CVE-2021-20359
2021-02-08 15:15:12
veracode
veracode
Cross-Site Scripting (XSS)
2020-02-14 05:34:58
Server-Side Request Forgery (SSRF)
2020-11-09 11:41:33
Prototype Pollution
2020-03-11 03:56:26
cvelist
cvelist
CVE-2019-10785
2020-02-13 16:02:46
CVE-2020-28168
2020-11-06 19:22:38
CVE-2021-20359
2021-02-08 14:40:19
redhatcve
redhatcve
CVE-2019-10785
2020-05-04 14:09:54
CVE-2020-28168
2020-11-09 19:38:12
CVE-2020-7774
2020-11-17 20:08:56
debiancve
debiancve
CVE-2019-10785
2020-02-13 17:15:29
CVE-2020-28168
2020-11-06 20:15:13
CVE-2020-7774
2020-11-17 13:15:12
github
github
XSS in dojox due to insufficient escape in dojox.xmpp.util.xmlEncode
2020-02-13 22:21:06
Axios vulnerable to Server-Side Request Forgery
2021-01-04 20:59:40
Prototype Pollution in Dojox
2020-03-10 18:03:32
rocky
rocky
nodejs:12 security and bug fix update
2020-12-15 16:03:21
cve
cve
CVE-2019-10785
2020-02-13 17:15:29
CVE-2021-20359
2021-02-08 15:15:12
CVE-2021-20358
2021-02-08 15:15:12
githubexploit
githubexploit
Exploit for Cross-site Scripting in Linuxfoundation Dojox
2020-12-01 09:18:57
Exploit for Uncontrolled Resource Consumption in Nodejs Node.Js
2021-07-10 20:42:11
Exploit for Uncontrolled Resource Consumption in Nodejs Node.Js
2020-11-18 10:57:13
redhat
redhat
(RHSA-2020:5305) Moderate: rh-nodejs12-nodejs security update
2020-12-01 14:18:32
(RHSA-2020:5499) Moderate: nodejs:12 security and bug fix update
2020-12-15 16:03:21
nodejs
nodejs
Server-Side Request Forgery
2021-01-04 21:04:59
Prototype Pollution
2021-03-12 23:16:43
fedora
fedora
[SECURITY] Fedora 32 Update: c-ares-1.17.0-1.fc32
2020-12-04 00:30:19
[SECURITY] Fedora 33 Update: c-ares-1.17.0-1.fc33
2020-11-28 02:04:28
[SECURITY] Fedora 32 Update: mingw-c-ares-1.17.1-1.fc32
2021-02-24 20:46:53
f5
f5
K07944249 : Node.js vulnerability CVE-2020-8277
2021-02-24 00:00:00
cbl_mariner
cbl_mariner
CVE-2020-8277 affecting package c-ares 1.14.0-3
2021-04-06 23:50:04
CVE-2020-8277 affecting package python-gevent for versions less than 21.1.2-3
2024-09-30 09:32:24
altlinux
altlinux
Security fix for the ALT Linux 9 package c-ares version 1.16.1-alt2
2020-11-19 00:00:00
Security fix for the ALT Linux 10 package node version 14.15.1-alt1
2020-11-16 00:00:00
Security fix for the ALT Linux 9 package node version 14.15.1-alt1
2020-11-26 00:00:00
suse
suse
Security update for c-ares (moderate)
2020-11-26 00:00:00
Security update for c-ares (moderate)
2020-11-28 00:00:00
photon
photon
Home Download Photon OS User Documentation FAQ Security Advisories Related Information Lightwave - PHSA-2021-1.0-0378
2021-04-07 00:00:00
Important Photon OS Security Update - PHSA-2021-0209
2021-03-23 00:00:00
alpinelinux
alpinelinux
CVE-2020-8277
2020-11-19 01:15:12
CVE-2020-7774
2020-11-17 13:15:12
freebsd
freebsd
Node.js -- November 2020 Security Releases
2020-11-16 00:00:00
hackerone
hackerone
Node.js: DNS Max Responses for DOS
2020-11-12 18:32:25
gitlab
gitlab
Uncontrolled Resource Consumption
2020-11-19 00:00:00
archlinux
archlinux
[ASA-202011-18] c-ares: denial of service
2020-11-19 00:00:00
ubuntu
ubuntu
c-ares vulnerability
2020-11-19 00:00:00
gentoo
gentoo
c-ares: Denial of service
2020-12-23 00:00:00
nodejsblog
nodejsblog
November 2020 Security Releases
2020-11-16 00:00:00

EPSS

0.338

Percentile

97.1%

JSON
Related for E2CA1E7AD2646F35FD854E930E6AF030E58817DBF599A59E49719694B3B46D1F
ibm55debian2nessus28mageia2openvas15osv15oraclelinux1almalinux1ubuntucve6prion6nvd6veracode5cvelist6redhatcve4debiancve5github4rocky1cve7githubexploit3redhat2nodejs2fedora4f51cbl_mariner2altlinux3suse2photon2alpinelinux2freebsd1hackerone1gitlab1archlinux1ubuntu1gentoo1nodejsblog1