Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM03C1C0CFEDB05A2FD0EBDB73759416A70A64FE2663452B2233BFD85BD0543E37
HistoryMay 24, 2022 - 6:37 p.m.

Security Bulletin: IBM QRadar Deployment Intelligence app for IBM QRadar SIEM is vulnerable to using components with known vulnerabilities

2022-05-2418:37:42
www.ibm.com
17

8.6 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

7.8 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

0.007 Low

EPSS

Percentile

79.9%

JSON

Summary

The product includes vulnerable components (e.g., framework libraries) that may be identified and exploited with automated tools. IBM QRadar Deployment Intelligence app for IBM QRadar SIEM has addressed the applicable CVEs.

Vulnerability Details

CVEID:CVE-2020-24025
**DESCRIPTION:**node-sass could allow a remote attacker to bypass security restrictions, caused by the disablement of certificate validation when requesting binaries even if the user is not specifying an alternative download path. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass access restrictions.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/195029 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2021-3807
**DESCRIPTION:**Chalk ansi-regex module for Node.js is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw. By sending a specially-crafted regex input, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/209596 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2021-33623
**DESCRIPTION:**Node.js trim-newlines module is vulnerable to a denial of service, caused by a regular expression denial-of-service (ReDoS) flaw in the .end() method. By sending a specially-crafted regex input, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/202758 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2021-37713
**DESCRIPTION:**Node.js tar module could allow a local attacker to execute arbitrary code on the system, caused by insufficient logic on Windows systems when extracting tar files that contained a path that was not an absolute path, but specified a drive letter different from the extraction target. An attacker could exploit this vulnerability to create or overwrite arbitrary files and execute arbitrary code on the system.
CVSS Base score: 8.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/208451 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N)

CVEID:CVE-2021-37712
**DESCRIPTION:**Node.js tar module could allow a local attacker to execute arbitrary code on the system, caused by an arbitrary file creation/overwrite vulnerability. By creating a directory, and then replacing that directory with a symlink that had a different apparent name that resolved to the same entry in the filesystem, an attacker could use an untrusted tar file to symlink into an arbitrary location and extract arbitrary files into that location to create or overwrite arbitrary files and execute arbitrary code on the system.
CVSS Base score: 8.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/208450 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N)

CVEID:CVE-2021-37701
**DESCRIPTION:**Node.js tar module could allow a local attacker to execute arbitrary code on the system, caused by an arbitrary file creation/overwrite vulnerability. By creating a directory, and then replacing that directory with a symlink, an attacker could use an untrusted tar file to symlink into an arbitrary location and extract arbitrary files into that location to create or overwrite arbitrary files and execute arbitrary code on the system.
CVSS Base score: 8.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/208442 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N)

CVEID:CVE-2021-32804
**DESCRIPTION:**Node.js tar module could allow a local attacker to traverse directories on the system, caused by insufficient absolute path sanitization. An attacker could use a specially-crafted tar file containing “dot dot” sequences (/…/) to create or overwrite arbitrary files on the system.
CVSS Base score: 8.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/206719 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N)

CVEID:CVE-2021-32803
**DESCRIPTION:**Node.js tar module could allow a local attacker to traverse directories on the system, caused by insufficient symlink protection. An attacker could use a specially-crafted tar file containing “dot dot” sequences (/…/) to create or overwrite arbitrary files on the system.
CVSS Base score: 8.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/206717 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
IBM QRadar Deployment Intelligence App 1.0 - 3.0.4

Remediation/Fixes

IBM encourages customers to update their systems promptly.

Update to 3.0.5

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm qradar siemeq3.0

Related

ibm 35
mageia 2
altlinux 1
nessus 38
nodejsblog 1
freebsd 1
github 9
debian 3
osv 25
prion 8
ubuntucve 8
debiancve 8
alpinelinux 5
cve 8
suse 9
redhat 4
nodejs 6
redhatcve 8
broadcom 1
veracode 8
ubuntu 2
githubexploit 1
almalinux 2
oraclelinux 2
rocky 1
hackerone 1
huntr 1
cgr 1
ibm
ibm
Security Bulletin: Open Source Dependency Vulnerability
2023-05-15 18:33:20
Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Node.js
2021-10-01 06:17:41
Security Bulletin: A security vulnerability in Node.js tar module affects IBM Cloud Pak for Multicloud Management Managed Services
2021-11-09 18:12:58
mageia
mageia
Updated nodejs-tar packages fix security vulnerability
2022-03-21 23:18:30
Updated nodejs packages fix security vulnerability
2021-10-06 22:41:56
altlinux
altlinux
Security fix for the ALT Linux 10 package node version 14.17.6-alt1
2021-09-01 00:00:00
nessus
nessus
FreeBSD : Node.js -- August 2021 Security Releases (2) (7062bce0-1b17-11ec-9d9d-0022489ad614)
2021-10-01 00:00:00
Debian DSA-5008-1 : node-tar - security update
2021-11-12 00:00:00
Debian DLA-3237-1 : node-tar - LTS security update
2022-12-12 00:00:00
nodejsblog
nodejsblog
August 31 2021 Security Releases
2021-08-31 00:00:00
freebsd
freebsd
Node.js -- August 2021 Security Releases (2)
2021-08-31 00:00:00
github
github
GitHub security update: Vulnerabilities in tar and @npmcli/arborist
2021-09-08 16:00:32
Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization
2021-08-03 19:06:36
Improper Certificate Validation in node-sass
2022-02-09 22:22:24
debian
debian
[SECURITY] [DSA 5008-1] node-tar security update
2021-11-11 21:57:59
[SECURITY] [DLA 3237-1] node-tar security update
2022-12-12 14:15:54
[SECURITY] [DLA 3247-1] node-trim-newlines security update
2022-12-23 14:08:28
osv
osv
CVE-2021-32804
2021-08-03 19:15:08
node-tar - security update
2022-12-12 00:00:00
node-tar - security update
2021-11-11 00:00:00
prion
prion
Design/Logic Flaw
2021-08-03 19:15:00
Design/Logic Flaw
2021-05-28 18:15:00
Path traversal
2021-01-11 19:15:00
ubuntucve
ubuntucve
CVE-2021-32804
2021-08-03 00:00:00
CVE-2020-24025
2021-01-11 00:00:00
CVE-2021-33623
2021-05-28 00:00:00
debiancve
debiancve
CVE-2021-32804
2021-08-03 19:15:00
CVE-2020-24025
2021-01-11 19:15:00
CVE-2021-33623
2021-05-28 18:15:00
alpinelinux
alpinelinux
CVE-2021-32804
2021-08-03 19:15:00
CVE-2021-37712
2021-08-31 17:15:00
CVE-2021-37713
2021-08-31 17:15:00
cve
cve
CVE-2021-32804
2021-08-03 19:15:00
CVE-2021-33623
2021-05-28 18:15:00
CVE-2020-24025
2021-01-11 19:15:00
suse
suse
Security update for nodejs14 (important)
2022-03-04 00:00:00
Security update for nodejs8 (important)
2022-03-04 00:00:00
Security update for nodejs12 (important)
2022-03-02 00:00:00
redhat
redhat
(RHSA-2022:0041) Moderate: rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon security update
2022-01-06 18:27:51
(RHSA-2021:5086) Moderate: Red Hat OpenShift Data Foundation 4.9.0 enhancement, security, and bug fix update
2021-12-13 15:19:23
(RHSA-2022:0350) Moderate: nodejs:14 security, bug fix, and enhancement update
2022-02-01 20:08:39
nodejs
nodejs
Regular Expression Denial of Service
2021-06-07 22:13:02
Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization
2021-08-31 16:10:27
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links
2021-08-31 16:10:17
redhatcve
redhatcve
CVE-2020-24025
2021-01-28 18:56:15
CVE-2021-33623
2021-06-01 14:19:20
CVE-2021-37713
2021-12-16 16:50:36
broadcom
broadcom
Certificate validation is disabled when requesting binaries
2023-06-12 00:00:00
veracode
veracode
Regular Expression Denial Of Service (ReDoS)
2021-05-31 05:29:50
Remote Code Execution (RCE)
2021-09-01 02:04:46
Man-in-the-Middle (MitM)
2021-01-12 05:41:04
ubuntu
ubuntu
trim-newlines vulnerability
2023-04-05 00:00:00
Tar for Node.js vulnerability
2022-02-11 00:00:00
githubexploit
githubexploit
Exploit for Path Traversal in Tar Project Tar
2021-08-31 04:32:38
almalinux
almalinux
Moderate: nodejs:14 security, bug fix, and enhancement update
2022-02-01 20:08:39
Important: nodejs:12 security and bug fix update
2021-09-21 12:33:58
oraclelinux
oraclelinux
nodejs:14 security, bug fix, and enhancement update
2022-02-02 00:00:00
nodejs:12 security and bug fix update
2021-09-22 00:00:00
rocky
rocky
nodejs:14 security, bug fix, and enhancement update
2022-02-01 20:08:39
hackerone
hackerone
Nextcloud: @nextcloud/logger NPM package brings vulnerable ansi-regex version
2022-06-20 14:31:09
huntr
huntr
Inefficient Regular Expression Complexity in chalk/ansi-regex
2021-09-09 11:25:39
cgr
cgr
CVE-2021-3807 vulnerabilities
2024-04-19 21:06:40

8.6 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

7.8 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

0.007 Low

EPSS

Percentile

79.9%

JSON
Related for 03C1C0CFEDB05A2FD0EBDB73759416A70A64FE2663452B2233BFD85BD0543E37
ibm35mageia2altlinux1nessus38nodejsblog1freebsd1github9debian3osv25prion8ubuntucve8debiancve8alpinelinux5cve8suse9redhat4nodejs6redhatcve8broadcom1veracode8ubuntu2githubexploit1almalinux2oraclelinux2rocky1hackerone1huntr1cgr1