Security Bulletin: Vulnerabilities in Urllib3 and react-bootstrap-table affect IBM Spectrum Discover.

Summary

Vulnerabilities in Urllib3 and react-bootstrap-table such as problems on the regular expression cause denial of service, improper validations in parameters and problems related to cross-site scripting, may affect IBM Spectrum Discover.

Vulnerability Details

CVEID:CVE-2021-33503
**DESCRIPTION:**urllib3 is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw due to catastrophic backtracking. By sending a specially-crafted URL request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/203109 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2021-23398
**DESCRIPTION:**Node.js react-bootstrap-table module is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the dataFormat parameter. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/204402 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

Remediation/Fixes

Installed versions of Spectrum Discover (2.0.3, 2.0.3.1, 2.0.3.2, 2.0.3.3, 2.0.3.4, 2.0.3.5, 2.0.4, 2.0.4.1, 2.0.4.2) can be upgraded to fixed version using the IBM Spectrum Discover 2.0.3.6 upgrader and IBM Spectrum Discover 2.0.4.3 upgrader.

Workarounds and Mitigations

None