CVSS2
Attack Vector
LOCAL
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:M/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
75.4%
IBM Cloud Pak for Security includes components with known vulnerabilities. These have been updated in the latest release and vulnerabilities have been addressed. Please follow the instructions in the Remediation/Fixes section below to update to the latest version of Cloud Pak for Security (CP4S).
CVEID:CVE-2022-25901
**DESCRIPTION:**Node.js cookiejar module is vulnerable to a denial of service, caused by an insecure regular expression in the Cookie.parse function. A remote attacker could exploit this vulnerability to cause a regular expression denial of service.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/245045 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID:CVE-2022-24823
**DESCRIPTION:**Netty could allow a local authenticated attacker to obtain sensitive information, caused by a flaw when temporary storing uploads on the disk is enabled. By gaining access to the local system temporary directory, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/225922 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
**IBM X-Force ID:**247595
**DESCRIPTION:**Encode Starlette is vulnerable to a denial of service, caused by a flaw with accepting unlimited number of multipart parts in the python-multipart package in the MultipartParser. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause high CPU and memory usages, and results in a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/247595 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
**IBM X-Force ID:**212233
**DESCRIPTION:**d3-color is vulnerable to a denial of service, caused by improper input validation. By sending a specially-crafted string that starts with the letter ‘A’ to the rgb() and hrc() functions, a remote attacker could exploit this vulnerability to cause a regular expression denial of service.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/212233 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Affected Product(s) | Version(s) |
---|---|
Cloud Pak for Security (CP4S) | 1.10.0.0 - 1.10.9.0 |
IBM encourages customers to update their systems promptly.
Please upgrade to at least CP4S 1.10.10.0 following these instructions: <https://www.ibm.com/docs/en/cloud-paks/cp-security/1.10?topic=installing-upgrading-cloud-pak-security>
None
Vendor | Product | Version | CPE |
---|---|---|---|
ibm | cloud_pak_for_security | 1.10 | cpe:2.3:a:ibm:cloud_pak_for_security:1.10:*:*:*:*:*:*:* |
CVSS2
Attack Vector
LOCAL
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:M/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
75.4%