Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBMF94E2FD93352C1316CE6430308206EAFBBC673CE41B3E1052A98C80E2798D9B0
HistorySep 07, 2023 - 10:42 a.m.

Security Bulletin: Vulnerabilities found in Turf.js which is shipped with IBM® Intelligent Operations Center [CVE-2020-28500, CVE-2020-8203, CVE-2019-1010266, CVE-2019-10744, CVE-2021-23337 and CVE-2018-16487]

2023-09-0710:42:07
www.ibm.com
27
turf.js
ibm intelligent operations center
denial of service
command injection
node.js lodash
cve-2020-28500
cve-2020-8203
cve-2019-1010266
cve-2019-10744
cve-2021-23337
cve-2018-16487

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

EPSS

0.021

Percentile

89.3%

JSON

Summary

Multiple vulnerabilities have been identified in Turf.js which is shipped with IBM® Intelligent Operations Center. Information about these vulnerabilities affecting IBM® Intelligent Operations Center have been published and addressed the applicable CVEs.

Vulnerability Details

CVEID:CVE-2020-28500
**DESCRIPTION:**Node.js lodash module is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) in the toNumber, trim and trimEnd functions. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/196972 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2020-8203
**DESCRIPTION:**Node.js lodash module is vulnerable to a denial of service, caused by a prototype pollution attack. A remote attacker could exploit this vulnerability using the merge, mergeWith, and defaultsDeep functions to inject properties onto Object.prototype to crash the server and possibly execute arbitrary code on the system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/183560 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2019-1010266
**DESCRIPTION:**Lodash is vulnerable to a denial of service, caused by uncontrolled resource consumption in Date handler. By sending an overly long string, a local attacker could exploit this vulnerability to cause the application to stop responding.
CVSS Base score: 4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/168402 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2019-10744
**DESCRIPTION:**Node.js lodash module is vulnerable to a denial of service, caused by a prototype pollution flaw. By sending a specially-crafted request using a constructor payload, a remote attacker could exploit this vulnerability to inject properties onto Object.prototype to cause a denial of service condition.
CVSS Base score: 9.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/167415 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H)

CVEID:CVE-2021-23337
**DESCRIPTION:**Node.js lodash module could allow a remote authenticated attacker to execute arbitrary commands on the system, caused by a command injection flaw in the template. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary commands on the system.
CVSS Base score: 7.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/196797 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2018-16487
**DESCRIPTION:**Node.js lodash module is vulnerable to a denial of service, caused by a prototype pollution flaw. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to inject properties onto Object.prototype to cause a denial of service condition.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/156530 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L)

Affected Products and Versions

Affected Product(s) Version(s)
Intelligent Operations Center (IOC) 5.1.0, 5.1.0.2, 5.1.0.3, 5.1.0.4, 5.1.0.6, 5.2, 5.2.1, 5.2.2, 5.2.3

Remediation/Fixes

The recommended solution is to apply an interim fix that contains the fix for this issue as soon as practical.

Download the IBM Intelligent Operations Center Version 5.2.4 is an upgrade to IBM Intelligent Operations Center Version 5.2.3 through IBM Intelligent Operations Center Version 5.2 from the following link:

IBM Intelligent Operations Center Version 5.2.4

Installation instructions for the fix are included in the readme document that is in the fix package.

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmintelligent_operations_centerMatch5.1.0
OR
ibmintelligent_operations_centerMatch5.1.0.2
OR
ibmintelligent_operations_centerMatch5.1.0.3
OR
ibmintelligent_operations_centerMatch5.1.0.4
OR
ibmintelligent_operations_centerMatch5.1.0.6
OR
ibmintelligent_operations_centerMatch5.2
OR
ibmintelligent_operations_centerMatch5.2.1
OR
ibmintelligent_operations_centerMatch5.2.2
OR
ibmintelligent_operations_centerMatch5.2.3
VendorProductVersionCPE
ibmintelligent_operations_center5.1.0cpe:2.3:a:ibm:intelligent_operations_center:5.1.0:*:*:*:*:*:*:*
ibmintelligent_operations_center5.1.0.2cpe:2.3:a:ibm:intelligent_operations_center:5.1.0.2:*:*:*:*:*:*:*
ibmintelligent_operations_center5.1.0.3cpe:2.3:a:ibm:intelligent_operations_center:5.1.0.3:*:*:*:*:*:*:*
ibmintelligent_operations_center5.1.0.4cpe:2.3:a:ibm:intelligent_operations_center:5.1.0.4:*:*:*:*:*:*:*
ibmintelligent_operations_center5.1.0.6cpe:2.3:a:ibm:intelligent_operations_center:5.1.0.6:*:*:*:*:*:*:*
ibmintelligent_operations_center5.2cpe:2.3:a:ibm:intelligent_operations_center:5.2:*:*:*:*:*:*:*
ibmintelligent_operations_center5.2.1cpe:2.3:a:ibm:intelligent_operations_center:5.2.1:*:*:*:*:*:*:*
ibmintelligent_operations_center5.2.2cpe:2.3:a:ibm:intelligent_operations_center:5.2.2:*:*:*:*:*:*:*
ibmintelligent_operations_center5.2.3cpe:2.3:a:ibm:intelligent_operations_center:5.2.3:*:*:*:*:*:*:*

Related

ibm 76
nessus 17
redhat 16
f5 2
prion 6
osv 12
veracode 6
nvd 6
hackerone 2
redhatcve 7
ubuntucve 6
github 7
cve 6
debiancve 6
cvelist 6
nodejs 4
symantec 1
githubexploit 3
thn 1
huntr 2
openvas 3
redos 1
ics 1
checkpoint_advisories 1
kitploit 1
ibm
ibm
Security Bulletin: Vulnerabilities in lodash library affect Tivoli Netcool/OMNIbus WebGUI (CVE-2019-1010266, CVE-2020-28500, CVE-2018-16487, CVE-2018-3721, CVE-2020-8203, CVE-2021-23337, CVE-2019-10744)
2022-06-27 03:53:54
Security Bulletin: IBM Security Verify Governance has multiple vulnerabilities
2023-07-18 06:14:58
Security Bulletin: Vulnerability in Lodash affects IBM Process Mining (Multiple CVEs)
2023-02-01 21:43:34
nessus
nessus
RHEL 8 : Red Hat Virtualization Host security update [ovirt-4.4.8] (Moderate) (RHSA-2021:3459)
2022-09-15 00:00:00
WordPress 5.8 < 5.8.1 / 5.7 < 5.7.3 / 5.6 < 5.6.5 / 5.5 < 5.5.6 / 5.4 < 5.4.7 / 5.2 < 5.2.12
2021-09-09 00:00:00
RHEL 8 : RHV Manager security update (ovirt-engine) [ovirt-4.4.6] (Moderate) (RHSA-2021:2179)
2021-06-01 00:00:00
redhat
redhat
(RHSA-2021:2179) Moderate: RHV Manager security update (ovirt-engine) [ovirt-4.4.6]
2021-06-01 11:44:38
(RHSA-2021:3459) Moderate: Red Hat Virtualization Host security and bug fix update [ovirt-4.4.8]
2021-09-08 11:04:34
(RHSA-2020:5611) Important: Red Hat Virtualization security, bug fix, and enhancement update
2020-12-17 08:43:33
f5
f5
K12492858 : Appliance mode authenticated F5 BIG-IP Guided Configuration third-party lodash and jQuery vulnerabilities CVE-2021-23337, CVE-2020-28500, and CVE-2016-7103
2022-05-06 00:00:00
K47105354 : Lodash library vulnerability CVE-2019-10744
2019-11-13 00:00:00
prion
prion
Denial of service
2019-07-17 21:15:00
Buffer overflow
2019-02-01 18:29:00
Design/Logic Flaw
2021-02-15 11:15:00
osv
osv
CVE-2019-1010266
2019-07-17 21:15:10
CVE-2018-16487
2019-02-01 18:29:00
Prototype Pollution in lodash
2019-02-07 18:16:48
veracode
veracode
Regular Expression Denial Of Service (ReDoS)
2018-08-30 06:08:10
Prototype Pollution Attack
2018-11-01 08:55:31
Prototype Pollution
2019-06-28 13:52:21
nvd
nvd
CVE-2018-16487
2019-02-01 18:29:00
CVE-2019-1010266
2019-07-17 21:15:10
CVE-2020-28500
2021-02-15 11:15:12
hackerone
hackerone
Node.js third-party modules: Prototype pollution attack (lodash / constructor.prototype)
2018-07-12 08:28:18
Node.js third-party modules: Prototype pollution attack (lodash)
2019-10-11 12:06:20
redhatcve
redhatcve
CVE-2018-16487
2019-02-01 23:49:27
CVE-2019-1010266
2021-05-07 03:24:52
CVE-2020-28500
2021-02-15 21:48:23
ubuntucve
ubuntucve
CVE-2018-16487
2019-02-01 00:00:00
CVE-2019-1010266
2019-07-17 00:00:00
CVE-2019-10744
2019-07-26 00:00:00
github
github
Prototype Pollution in lodash
2019-02-07 18:16:48
Regular Expression Denial of Service (ReDoS) in lodash
2019-07-19 16:13:07
Command Injection in lodash
2021-05-06 16:05:51
cve
cve
CVE-2019-1010266
2019-07-17 21:15:10
CVE-2018-16487
2019-02-01 18:29:00
CVE-2020-28500
2021-02-15 11:15:12
debiancve
debiancve
CVE-2019-1010266
2019-07-17 21:15:10
CVE-2018-16487
2019-02-01 18:29:00
CVE-2019-10744
2019-07-26 00:15:11
cvelist
cvelist
CVE-2019-1010266
2019-07-17 20:25:30
CVE-2018-16487
2019-02-01 18:00:00
CVE-2019-10744
2019-07-25 23:43:03
nodejs
nodejs
Prototype Pollution
2019-02-13 16:16:53
Prototype Pollution
2020-05-20 01:36:49
Prototype Pollution
2019-07-15 17:22:56
symantec
symantec
lodash CVE-2019-1010266 Denial of Service Vulnerability
2019-09-05 00:00:00
githubexploit
githubexploit
Exploit for Allocation of Resources Without Limits or Throttling in Lodash
2020-12-01 09:18:57
Exploit for CVE-2019-10744
2020-12-01 09:18:57
Exploit for Prototype Pollution in Lodash
2020-12-01 09:45:48
thn
thn
Unpatched Prototype Pollution Flaw Affects All Versions of Popular Lodash Library
2019-07-09 16:06:00
huntr
huntr
Inefficient Regular Expression Complexity in liriliri/licia
2021-07-18 15:31:06
Lodash 4.17.15 in use which is vulnerable to CVE-2020-8203
2023-02-20 02:52:19
openvas
openvas
Discourse < 2.3.0.beta10 Multiple Vulnerabilities
2019-06-17 00:00:00
Elastic Kibana < 6.8.2, 7.x < 7.2.1 Multiple Vulnerabilities (ESA-2019-09, ESA-2019-10) - Windows
2019-08-12 00:00:00
Elastic Kibana < 6.8.2, 7.x < 7.2.1 Multiple Vulnerabilities (ESA-2019-09, ESA-2019-10) - Linux
2019-08-12 00:00:00
redos
redos
ROS-20240418-08
2024-04-18 00:00:00
ics
ics
Siemens SINEC INS
2022-09-15 12:00:00
checkpoint_advisories
checkpoint_advisories
JavaScript Prototype Pollution (CVE-2020-28269; CVE-2020-28272; CVE-2020-28273; CVE-2020-28442; CVE-2020-28458; CVE-2020-28472; CVE-2020-7778; CVE-2020-8158; CVE-2020-8203; CVE-2021-25912; CVE-2021-44906)
2020-06-21 00:00:00
kitploit
kitploit
Trivy - A Simple And Comprehensive Vulnerability Scanner For Containers, Suitable For CI
2019-11-05 12:00:00

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

EPSS

0.021

Percentile

89.3%

JSON
Related for F94E2FD93352C1316CE6430308206EAFBBC673CE41B3E1052A98C80E2798D9B0
ibm76nessus17redhat16f52prion6osv12veracode6nvd6hackerone2redhatcve7ubuntucve6github7cve6debiancve6cvelist6nodejs4symantec1githubexploit3thn1huntr2openvas3redos1ics1checkpoint_advisories1kitploit1