IBM Security Risk Manager on CP4S has addressed the following vulnerabilities:
CVEID:CVE-2021-29912
**DESCRIPTION:**IBM Cloud Pak - Risk Manager is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/207828 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
CVEID:CVE-2020-15168
**DESCRIPTION:**Node.js node-fetch module is vulnerable to a denial of service, caused by the failure to honor the size option after following a redirect. By using a specially-crafted file, a remote attacker could exploit this vulnerability to consume excessive resource on the system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/188155 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
**Third Party Entry:**183561
**DESCRIPTION:**Node.js http-proxy module is vulnerable to a denial of service. By sending a specially crafted HTTP request with an overly long body, a remote attacker could exploit this vulnerability to trigger an ERR_HTTP_HEADERS_SENT unhandled exception and crash the server.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/183561 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Affected Product(s) | Version(s) |
---|---|
IBM Security Risk Manager on CP4S | CP4S 1.7.0.0 |
To obtain fixes for all reported issues, customers are advised to upgrade to CP4S 1.6.0.X, 1.7.0.0 or 1.7.1.0, and then apply the upgrade for CP4S 1.7.2.0.
Product| VRMF| _APAR
_| Remediation / First Fix
—|—|—|—
IBM Security Risk Manager on CP4S| 1.7.0.0|
|
Follow the instructions to upgrade IBM Security Risk Manager on CP4S to 1.7.2.0 using link.
IBM Security Risk Manager on CP4S| 1.7.1.0
|
|
Follow the instructions to upgrade IBM Security Risk Manager on CP4S to 1.7.2.0 using link.
None
CPE | Name | Operator | Version |
---|---|---|---|
ibm cloud pak for security | eq | 1.7.0.0 |