Lucene search

IBM0E77C24838CDAB1277AB5CA33352CE6CCB83D6358DF909330CAE2536E8A99DED

HistoryAug 09, 2022 - 5:52 a.m.

Security Bulletin: IBM Netezza for Cloud Pak for Data is vulnerable to injection attack due to urllib package in Python3 (CVE-2022-0391)

2022-08-0905:52:22

www.ibm.com

ibm netezza

cloud pak for data

injection attack

python3

urllib package

cve-2022-0391

improper input validation

security bulletin

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.003

Percentile

66.2%

JSON

Summary

IBM Netezza for Cloud Pak for Data is vulnerable to injection attack due to improper input validation by the urllib.parse module from Python3. Vulnerability is addressed by upgrading Pytthon to version 3.9.7.

Vulnerability Details

CVEID:CVE-2022-0391
**DESCRIPTION:**Python could provide weaker than expected security, cause by a improper input validation by the urllib.parse module. By sending a specially-crafted request using \r and \n characters in the URL path. An attacker could exploit this vulnerability to perform injection attack or launch further attacks on the system.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/219613 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Netezza for Cloud Pak for Data	11.2.1.0 - 11.2.1.5

Remediation/Fixes

**IBM strongly recommends addressing the vulnerability now for affected versions listed by applying the fix.**

Product	Version	Remediation/Fix/Instructions
IBM Netezza for Cloud Pak for Data	11.2.1.6	Link to Fix Central

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmcloud_pak_for_dataMatch11.2.1.6

VendorProductVersionCPE
ibmcloud_pak_for_data11.2.1.6cpe:2.3:a:ibm:cloud_pak_for_data:11.2.1.6:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	cloud_pak_for_data	11.2.1.6	cpe:2.3:a:ibm:cloud_pak_for_data:11.2.1.6:::::::*

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.003

Percentile

66.2%

JSON

Related for 0E77C24838CDAB1277AB5CA33352CE6CCB83D6358DF909330CAE2536E8A99DED