Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM0273A8F588FC75912FB4CCD87BD310A0A100C6F12D5EA893D740EA5E6666E28F
HistoryMar 27, 2023 - 4:55 p.m.

Security Bulletin: IBM Engineering Workflow Management (EWM) vulnerability CVE-2021-43138

2023-03-2716:55:37
www.ibm.com
32
ibm
engineering workflow management
vulnerability
remote code execution
version 7.0.2
version 7.0.1
cve-2021-43138

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS

0.002

Percentile

54.3%

JSON

Summary

There is a vulnerability CVE-2021-43138 which affects IBM Engineering Workflow Management (EWM).

Vulnerability Details

CVEID:CVE-2021-43138
**DESCRIPTION:**Async could allow a remote attacker to execute arbitrary code on the system, caused by prototype pollution in the mapValues() method. By persuading a victim to open a specially-crafted file, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 7.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/223605 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
EWM 7.0.2
EWM 7.0.1

Remediation/Fixes

Upgrade to version 7.0.2 iFix020 or later

IBM Engineering Lifecycle Management 7.0.2 iFix020

IBM Engineering Workflow Management 7.0.2 iFix020

Upgrade to version 7.0.1 iFix020 or later

IBM Engineering Lifecycle Management 7.0.1 iFix020

IBM Engineering Workflow Management 7.0.1 iFix020

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmengineering_workflow_managementMatch7.0.1
OR
ibmengineering_workflow_managementMatch7.0.2
VendorProductVersionCPE
ibmengineering_workflow_management7.0.1cpe:2.3:a:ibm:engineering_workflow_management:7.0.1:*:*:*:*:*:*:*
ibmengineering_workflow_management7.0.2cpe:2.3:a:ibm:engineering_workflow_management:7.0.2:*:*:*:*:*:*:*

Related

ibm 24
nvd 1
veracode 1
cvelist 1
github 1
debiancve 1
prion 1
redhatcve 1
cve 1
osv 3
nessus 11
openvas 6
fedora 5
redos 2
redhat 2
ibm
ibm
Security Bulletin: Vulnerability in async opensource package affects IBM VM Recovery Manager HA & DR GUI
2022-07-20 16:54:39
Security Bulletin: IBM Storage Ceph is vulnerable to Prototype Pollution in Grafana (CVE-2021-43138)
2024-07-08 20:28:01
Security Bulletin: IBM App Connect Enterprise Certified Container IntegrationServer operands that run Designer flows may be vulnerable to arbitrary code execution due to [CVE-2021-43138]
2023-04-28 11:45:00
nvd
nvd
CVE-2021-43138
2022-04-06 17:15:08
veracode
veracode
Prototype Pollution
2022-04-07 04:36:10
cvelist
cvelist
CVE-2021-43138
2022-04-06 00:00:00
github
github
Prototype Pollution in async
2022-04-07 00:00:17
debiancve
debiancve
CVE-2021-43138
2022-04-06 17:15:08
prion
prion
Design/Logic Flaw
2022-04-06 17:15:00
redhatcve
redhatcve
CVE-2021-43138
2022-09-13 08:13:03
cve
cve
CVE-2021-43138
2022-04-06 17:15:08
osv
osv
CVE-2021-43138
2022-04-06 17:15:08
Prototype Pollution in async
2022-04-07 00:00:17
grafana-9.3.6-1.1 on GA media
2024-06-15 00:00:00
nessus
nessus
RHEL 9 : pcs (Unpatched Vulnerability)
2024-06-03 00:00:00
Fedora 36 : yarnpkg (2023-18fd476362)
2023-01-21 00:00:00
Fedora 37 : yarnpkg (2023-ce8943223c)
2023-01-21 00:00:00
openvas
openvas
Fedora: Security Advisory for yarnpkg (FEDORA-2023-ce8943223c)
2023-01-22 00:00:00
Fedora: Security Advisory for yarnpkg (FEDORA-2023-18fd476362)
2023-01-22 00:00:00
Fedora: Security Advisory for yarnpkg (FEDORA-2023-2e38c3756f)
2023-03-30 00:00:00
fedora
fedora
[SECURITY] Fedora 37 Update: yarnpkg-1.22.19-3.fc37
2023-01-21 03:34:16
[SECURITY] Fedora 36 Update: yarnpkg-1.22.19-3.fc36
2023-01-21 03:43:23
[SECURITY] Fedora 36 Update: yarnpkg-1.22.19-5.fc36
2023-03-30 01:16:12
redos
redos
ROS-20240704-07
2024-07-04 00:00:00
ROS-20240403-01
2024-04-03 00:00:00
redhat
redhat
(RHSA-2023:3645) Moderate: Red Hat OpenShift Service Mesh 2.2.7 security update
2023-06-15 20:53:35
(RHSA-2023:0693) Moderate: Migration Toolkit for Containers (MTC) 1.7.7 security and bug fix update
2023-02-09 02:15:47

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS

0.002

Percentile

54.3%

JSON
Related for 0273A8F588FC75912FB4CCD87BD310A0A100C6F12D5EA893D740EA5E6666E28F
ibm24nvd1veracode1cvelist1github1debiancve1prion1redhatcve1cve1osv3nessus11openvas6fedora5redos2redhat2