Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBMFEEB22705846872BB83E3BC9FE94522005DBC482F542E59A9C17E7BC4EEDF76A
HistoryMay 15, 2023 - 6:36 p.m.

Security Bulletin: Open Source Dependency Vulnerability

2023-05-1518:36:46
www.ibm.com
22
ibm edge app manager
etcd
vulnerability

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.014

Percentile

87.0%

JSON

Summary

IBM Edge Application Manager 4.5 has resolved the vulnerability.

Vulnerability Details

CVEID:CVE-2020-15112
**DESCRIPTION:**etcd is vulnerable to a denial of service, caused by a flaw in the ReadAll method in wal/wal.go. By sending a specially crafted data, a remote authenticated attacker could exploit this vulnerability to cause a runtime panic.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/186328 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2020-26160
**DESCRIPTION:**jwt-go could allow a remote attacker to bypass security restrictions, caused by a type assertion failure when m[“aud”] happens to be []string{}. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass access restrictions.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/189408 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2018-16886
**DESCRIPTION:**etcd could allow a remote attacker to bypass security restrictions, caused by improper authentication in auth/store.go:AuthInfoFromTLS() when role-based access control (RBAC) is used and client-cert-auth is enabled. By sending a specially crafted REST API request to the gRPC-gateway, an attacker could exploit this vulnerability to bypass authentication.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/155498 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2021-44716
**DESCRIPTION:**Golang Go is vulnerable to a denial of service, caused by an uncontrolled memory consumption in the header canonicalization cache in net/http. By sending HTTP/2 requests, a remote attacker could exploit this vulnerability to consume all available memory resources.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/216553 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2018-1098
**DESCRIPTION:**etcd is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request to perform unauthorized actions. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/141542 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

CVEID:CVE-2020-15106
**DESCRIPTION:**etcd is vulnerable to a denial of service, caused by improper data validation in the decodeRecord method. By sending a specially crafted data, a remote authenticated attacker could exploit this vulnerability to cause panic in decodeRecord method,
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/186329 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2020-15113
**DESCRIPTION:**etcd could allow a remote attacker to bypass security restrictions, caused by the lack of permission checks in the os.MkdirAll function when a given directory path exists already. By sending a specially crafted request, an attacker could exploit this vulnerability to bypass access restrictions.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/186327 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2018-1099
**DESCRIPTION:**etcd could allow a remote attacker to gain access to the DNS records, caused by a DNS rebinding. An attacker could exploit this vulnerability to rebind DNS records.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/141541 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2022-29526
**DESCRIPTION:**Golang Go could allow a remote attacker to obtain sensitive information, caused by a flaw in the Faccessat function when called with a non-zero flags parameter. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain accessible file information, and use this information to launch further attacks against the affected system.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/229593 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID:CVE-2020-14040
**DESCRIPTION:**Go Language x/text package is vulnerable to a denial of service, caused by a vulnerability in encoding/unicode in the UTF-16 decoder. By sending a single byte to a UTF16 decoder, a remote attacker could exploit this vulnerability to cause the application to enter into an infinite loop.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/184313 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Edge Application Manager 4.4
IBM Edge Application Manager 4.3

Remediation/Fixes

The fix/upgrade is a set of docker images, that will automatically be pulled and deployed from both dockerhub and the IBM Entitled Registry.

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmedge_application_managerMatch4.3
OR
ibmedge_application_managerMatch4.4
VendorProductVersionCPE
ibmedge_application_manager4.3cpe:2.3:a:ibm:edge_application_manager:4.3:*:*:*:*:*:*:*
ibmedge_application_manager4.4cpe:2.3:a:ibm:edge_application_manager:4.4:*:*:*:*:*:*:*

Related

ibm 10
nessus 31
openvas 7
fedora 3
altlinux 2
osv 32
ubuntu 2
redhat 10
photon 5
ubuntucve 6
debiancve 6
cve 7
veracode 7
nvd 5
github 8
cvelist 7
gitlab 5
redhatcve 6
wolfi 3
cgr 2
prion 6
cbl_mariner 25
alpinelinux 2
rocky 1
oraclelinux 1
ibm
ibm
Security Bulletin: IBM Cloud Private is vulnerable to etcd vulnerabilities (CVE-2020-15106, CVE-2020-15112, CVE-2020-15113)
2021-02-26 14:21:09
Security Bulletin: IBM API Connect is vulnerable to denial of service (DoS) via etcd (CVE-2020-15106 CVE-2020-15112 CVE-2020-15113)
2021-02-02 13:37:27
Security Bulletin: CVE-2018-1099, CVE-2018-1098 may affect IBM CICS TX Standard
2023-02-24 13:14:12
nessus
nessus
Fedora 29 : etcd (2019-219b0b0b6a)
2019-05-06 00:00:00
Fedora 30 : etcd (2019-833466697f)
2019-05-02 00:00:00
Ubuntu 18.04 ESM : etcd vulnerabilities (USN-5628-2)
2023-10-16 00:00:00
openvas
openvas
Fedora Update for etcd FEDORA-2019-219b0b0b6a
2019-05-07 00:00:00
Ubuntu: Security Advisory (USN-5628-1)
2022-09-23 00:00:00
Ubuntu: Security Advisory (USN-5628-2)
2023-01-27 00:00:00
fedora
fedora
[SECURITY] Fedora 30 Update: etcd-3.3.12-1.20190314gite1ca3b4.fc30
2019-04-13 00:09:57
[SECURITY] Fedora 29 Update: etcd-3.3.12-4.20190413gitf29b1ad.fc29
2019-05-06 04:15:25
[SECURITY] Fedora 32 Update: etcd-3.4.13-1.fc32
2021-01-04 01:18:15
altlinux
altlinux
Security fix for the ALT Linux 10 package etcd version 3.4.7-alt1
2020-04-26 00:00:00
Security fix for the ALT Linux 10 package etcd version 3.4.13-alt1
2020-09-05 00:00:00
osv
osv
etcd vulnerabilities
2022-09-22 15:16:34
etcd vulnerabilities
2022-09-22 13:38:55
BIT-etcd-2020-15106
2024-03-06 10:52:40
ubuntu
ubuntu
etcd vulnerabilities
2022-09-22 00:00:00
etcd vulnerabilities
2022-09-22 00:00:00
redhat
redhat
(RHSA-2021:1407) Moderate: etcd security update
2021-04-27 16:05:53
(RHSA-2021:0916) Moderate: Red Hat OpenStack Platform 16.1.4 (etcd) security update
2021-03-17 13:32:51
(RHSA-2019:1352) Moderate: etcd security, bug fix, and enhancement update
2019-06-04 17:55:45
photon
photon
Home Download Photon OS User Documentation FAQ Security Advisories Related Information Lightwave - PHSA-2020-1.0-0313
2020-08-18 00:00:00
Critical Photon OS Security Update - PHSA-2020-0313
2020-08-18 00:00:00
Important Photon OS Security Update - PHSA-2020-0130
2020-08-25 00:00:00
ubuntucve
ubuntucve
CVE-2018-16886
2019-01-14 00:00:00
CVE-2020-26160
2020-09-30 00:00:00
CVE-2020-15113
2020-08-05 00:00:00
debiancve
debiancve
CVE-2018-16886
2019-01-14 19:29:00
CVE-2020-26160
2020-09-30 18:15:27
CVE-2020-15113
2020-08-05 20:15:14
cve
cve
CVE-2018-16886
2019-01-14 19:29:00
CVE-2020-26160
2020-09-30 18:15:27
CVE-2020-15113
2020-08-05 20:15:14
veracode
veracode
Authorization Bypass
2020-09-30 00:55:36
Denial Of Service (DoS)
2020-08-06 06:19:36
Weak Authentication
2019-01-15 02:30:09
nvd
nvd
CVE-2020-26160
2020-09-30 18:15:27
CVE-2018-16886
2019-01-14 19:29:00
CVE-2020-15113
2020-08-05 20:15:14
github
github
go.etcd.io/etcd Authentication Bypass
2022-04-12 22:41:32
Authorization bypass in github.com/dgrijalva/jwt-go
2021-05-18 21:08:21
Improper Preservation of Permissions in etcd
2024-01-30 23:54:26
cvelist
cvelist
CVE-2018-16886
2019-01-14 19:00:00
CVE-2020-26160
2020-09-30 12:57:10
CVE-2020-15113 Improper Preservation of Permissions in etcd
2020-08-05 19:30:13
gitlab
gitlab
Improper Authentication
2022-04-12 00:00:00
Improper Authentication
2022-02-15 00:00:00
Improper Input Validation in etcd
2023-02-07 00:00:00
redhatcve
redhatcve
CVE-2020-26160
2020-09-30 22:37:10
CVE-2018-16886
2020-01-11 15:32:15
CVE-2020-15112
2020-08-14 06:13:32
wolfi
wolfi
CVE-2020-26160 vulnerabilities
2024-10-01 09:27:37
CVE-2020-15106 vulnerabilities
2024-10-01 09:27:37
CVE-2020-14040 vulnerabilities
2024-10-01 09:27:37
cgr
cgr
CVE-2020-26160 vulnerabilities
2024-05-19 03:07:16
CVE-2020-15106 vulnerabilities
2024-05-19 03:07:16
prion
prion
Authentication flaw
2019-01-14 19:29:00
Design/Logic Flaw
2020-09-30 18:15:00
Design/Logic Flaw
2020-08-05 20:15:00
cbl_mariner
cbl_mariner
CVE-2020-26160 affecting package dcos-cli for versions less than 1.2.0-15
2024-07-22 23:01:50
CVE-2020-15112 affecting package etcd for versions less than 3.5.0-3
2022-04-09 06:52:04
CVE-2020-15113 affecting package etcd for versions less than 3.5.0-3
2022-04-09 06:52:04
alpinelinux
alpinelinux
CVE-2020-26160
2020-09-30 18:15:27
CVE-2021-44716
2022-01-01 05:15:08
rocky
rocky
grafana security update
2022-01-03 07:30:31
oraclelinux
oraclelinux
grafana security update
2022-01-04 00:00:00

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.014

Percentile

87.0%

JSON
Related for FEEB22705846872BB83E3BC9FE94522005DBC482F542E59A9C17E7BC4EEDF76A
ibm10nessus31openvas7fedora3altlinux2osv32ubuntu2redhat10photon5ubuntucve6debiancve6cve7veracode7nvd5github8cvelist7gitlab5redhatcve6wolfi3cgr2prion6cbl_mariner25alpinelinux2rocky1oraclelinux1