Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM1615871DB6D900C69F1E3E99183BE8581ED1CED870E2C3B0E3B990E1C56F30E0
HistoryJan 28, 2019 - 5:05 p.m.

Security Bulletin: IBM API Connect has addressed multiple vulnerabilities in Developer Portal's dependencies - Cumulative list from June 28, 2018 to December 13, 2018

2019-01-2817:05:01
www.ibm.com
27

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

JSON

Summary

IBM API Connect has addressed the following vulnerabilities.

Vulnerability Details

CVEID: CVE-2018-16276 DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by improper bounds checking in the yurex_read function in drivers/usb/misc/yurex.cr. By sending a specially-crafted request, a local authenticated attacker could exploit this vulnerability to cause the system to crash, or gain elevated privileges.
CVSS Base Score: 7.8
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/149198&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2018-6554 DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a memory leak in the irda_bind function. By repeatedly binding an AF_IRDA socket, a local attacker could exploit this vulnerability to consume all available memory resources.
CVSS Base Score: 6.2
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/149360&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2018-15594 DESCRIPTION: Linux Kernel could allow a local authenticated attacker to obtain sensitive information, caused by the improper handling of certain indirect calls. By conducting Spectre-v2 attacks against paravirtual guests, an attacker could exploit this vulnerability to leak memory contents into a CPU cache and read host kernel memory.
CVSS Base Score: 6.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/148547&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)

CVEID: CVE-2018-15572 DESCRIPTION: Linux Kernel could allow a local authenticated attacker to obtain sensitive information, caused by the failure to always fill RSB upon a context switch by the spectre_v2_select_mitigation function in arch/x86/kernel/cpu/bugs.c. An attacker could exploit this vulnerability to conduct userspace-userspace spectreRSB attacks and obtain private data.
CVSS Base Score: 6.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/148546&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)

CVEID: CVE-2018-17182 DESCRIPTION: Linux Kernel could allow a local attacker to gain elevated privileges on the system, caused by the improper handling of sequence number overflows by the vmacache_flush_all function. An attacker could exploit this vulnerability using certain thread creation, map, unmap, invalidation, and dereference operations to trigger a use-after-free error and gain elevated privileges on the system.
CVSS Base Score: 8.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/150102&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2018-10902 DESCRIPTION: Linux Kernel could allow a local authenticated attacker to gain elevated privileges on the system, caused by a double-free in in snd_rawmidi_input_params() and snd_rawmidi_output_status() triggered by the raw midi kernel driver. An attacker could exploit this vulnerability to corrupt memory and execute arbitrary code on the system with elevated privileges.
CVSS Base Score: 7.8
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/148627&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2018-14633 DESCRIPTION: Linux Kernel is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the chap_server_compute_md5() function. If the iSCSI target to be enabled on the victim host, an attacker could overflow a buffer and execute arbitrary code on the system or cause the system to crash.
CVSS Base Score: 7
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/150238&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H)

CVEID: CVE-2018-6555 DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by an error in the irda_setsockopt function. A local attacker could exploit this vulnerability using an AF_IRDA socket to cause the system to crash.
CVSS Base Score: 6.2
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/149361&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2018-3062 DESCRIPTION: An unspecified vulnerability in Oracle MySQL related to the Server Server: Memcached component could allow an authenticated attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/146957&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2017-18216 DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a NULL pointer dereference flaw in fs/ocfs2/cluster/nodemanager.c. By sending a specially-crafted request, a local attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base Score: 6.2
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139923&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2018-7603 DESCRIPTION: The Search Autocomplete for Drupal is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim’‘s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’'s cookie-based authentication credentials.
CVSS Base Score: 6.1
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/151407&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID: CVE-2018-12123 DESCRIPTION: Node.js is vulnerable to HTTP request splitting attacks, caused by improper input validation by the path option of an HTTP request. A remote attacker could exploit this vulnerability to inject arbitrary HTTP request and cause the browser to send 2 HTTP requests, once the URL is clicked. This would allow the attacker to perform further attacks, such as Web cache poisoning or cross-site scripting.
CVSS Base Score: 6.1
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/153457&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID: CVE-2018-12122 DESCRIPTION: Node.js is vulnerable to a denial of service, caused by improper validation of HTTP headers. By sending headers very slowly keeping HTTP or HTTPS connections and associated resources alive for a long period of time, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/153456&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2018-12121 DESCRIPTION: Node.js is vulnerable to a denial of service, caused by improper validation of HTTP headers. By sending specially-crafted HTTP requests with maximum sized headers, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/153455&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2018-12116 DESCRIPTION: Node.js is vulnerable to HTTP request splitting attacks, caused by improper input validation by the path option of an HTTP request. A remote attacker could exploit this vulnerability to inject arbitrary HTTP request and cause the browser to send 2 HTTP requests, once the URL is clicked. This would allow the attacker to perform further attacks, such as Web cache poisoning or cross-site scripting.
CVSS Base Score: 6.1
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/153452&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID: CVE-2018-0734 DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by a timing side channel attack in the DSA signature algorithm. An attacker could exploit this vulnerability using variations in the signing algorithm to recover the private key.
CVSS Base Score: 3.7
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/152085&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2018-0732 DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by the sending of a very large prime value to the client by a malicious server during key agreement in a TLS handshake. By spending an unreasonably long period of time generating a key for this prime, a remote attacker could exploit this vulnerability to cause the client to hang.
CVSS Base Score: 3.7
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/144658&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2018-16845 DESCRIPTION: nginx is vulnerable to a denial of service, caused by an error when compiled with the ngx_http_mp4_module. By persuading a victim to open a specially-crafted mp4 file, a remote attacker could exploit this vulnerability to cause the application to enter into an infinite loop or obtain sensitive information from worker process memory.
CVSS Base Score: 4.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/152681&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L)

CVEID: CVE-2018-14647 DESCRIPTION: Python is vulnerable to a denial of service, caused by a flaw in the elementtree C accelerator. By using a specially-crafted XML document, a remote attacker could exploit this vulnerability to cause a resource exhaustion.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/150579&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2018-18314 DESCRIPTION: Perl is vulnerable to a heap-based buffer overflow, caused by a flaw in the S_regatom function in regcomp.c. By using a specially-crafted regular expression, a remote attacker could overflow a buffer and execute arbitrary code on the system.
CVSS Base Score: 9.8
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/153589&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2018-18313 DESCRIPTION: Perl could allow a remote attacker to obtain sensitive information, caused by a heap-based buffer overflow in the S_grok_bslash_N function in regcomp.c. By using a specially-crafted regular expression, a remote attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/153588&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID: CVE-2018-18312 DESCRIPTION: Perl is vulnerable to a heap-based buffer overflow, caused by a flaw in the S_regatom function in regcomp.c. By using a specially-crafted regular expression, a remote attacker could overflow a buffer and execute arbitrary code on the system.
CVSS Base Score: 9.8
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/153587&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2018-18311 DESCRIPTION: Perl is vulnerable to a heap-based buffer overflow, caused by an integer overflow in the Perl_my_setenv function. By sending a specially-crafted request, a local attacker could overflow a buffer and execute arbitrary code or cause a denial of service condition.
CVSS Base Score: 8.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/153586&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2018-13053 DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by an integer overflow in alarm_timer_nsleep. By sending an overly long string, an attacker could exploit this vulnerability to cause a denial of service.
CVSS Base Score: 6.2
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/145647&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2018-15687 DESCRIPTION: systemd could allow a remote attacker to bypass security restrictions, caused by a race condition in the chown_one function. By sending a specially-crafted request, an attacker could exploit this vulnerability to set arbitrary permissions on arbitrary files.
CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/152040&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

CVEID: CVE-2018-10880 DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a stack-out-of-bounds write in the ext4 filesystem code. By using a specially-crafted ext4 image, a local authenticated attacker could exploit this vulnerability to cause the system to crash.
CVSS Base Score: 3.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/147436&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2018-13096 DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by an out-of-bounds memory access flaw in fs/f2fs/super.c. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base Score: 5.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/145961&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

CVEID: CVE-2018-14609 DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a NULL pointer dereference flaw in the __del_reloc_root function in fs/btrfs/relocation.c when mounting a crafted btrfs image. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base Score: 5.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/147619&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

CVEID: CVE-2018-14617 DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a NULL pointer dereference flaw in the hfsplus_lookup function in fs/hfsplus/dir.c. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base Score: 5.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/147627&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

CVEID: CVE-2018-5407 DESCRIPTION: Multiple SMT/Hyper-Threading architectures and processors could allow a local attacker to obtain sensitive information, caused by execution engine sharing on Simultaneous Multithreading (SMT) architecture. By using the PortSmash new side-channel attack, an attacker could run a malicious process next to legitimate processes using the architectures parallel thread running capabilities to leak encrypted data from the CPU’'s internal processes. Note: This vulnerability is known as PortSmash.
CVSS Base Score: 5.1
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/152484&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID: CVE-2018-14600 DESCRIPTION: X.Org libx11 could allow a remote attacker to execute arbitrary code on the system, caused by an out-of-bounds write flaw. By sending a specially-crafted value, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base Score: 7.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/148663&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2018-14599 DESCRIPTION: X.Org libx11 is vulnerable to a denial of service, caused by an off-by-one flaw in multiple functions. By sending malicious server responses, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/148661&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2018-14598 DESCRIPTION: X.Org libx11 is vulnerable to a denial of service. By sending a specially-crafted reply, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/148664&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2018-16429 DESCRIPTION: GNOME GLib is vulnerable to a denial of service, caused by an out-of-bounds read in g_markup_parse_context_parse() in gmarkup.c. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base Score: 3.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/149332&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID: CVE-2018-16428 DESCRIPTION: GNOME GLib is vulnerable to a denial of service, caused by a NULL pointer dereference in g_markup_parse_context_end_parse() in gmarkup.c. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base Score: 3.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/149333&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID: CVE-2018-1000222 DESCRIPTION: libgd could allow a remote attacker to execute arbitrary code on the system, caused by a double free in the gdImageBmpPtr function. By persuading a victim to open a specially-crafted file, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base Score: 7.8
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/148755&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

CVEID: CVE-2018-14618 DESCRIPTION: cURL libcurl is vulnerable to a buffer overflow, caused by an integer overflow flaw in the Curl_ntlm_core_mk_nt_hash internal function in the NTLM authentication code. By sending an overly long password, a remote attacker could overflow a buffer and execute arbitrary code and cause the application to crash.
CVSS Base Score: 9.8
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/149359&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2018-5740 DESCRIPTION: ISC BIND is vulnerable to a denial of service, caused by a defect in the deny-answer-aliases feature. By triggering this defect, a remote attacker could exploit this vulnerability to cause an INSIST assertion failure in name.c.
CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/148131&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2018-10853 DESCRIPTION: Linux Kernel could allow a local attacker to gain elevated privileges on the system, caused by the failure to check current privilege(CPL) level while emulating unprivileged instructions by the KVM hypervisor. An attacker could exploit this vulnerability to gain elevated privileges on the system.
CVSS Base Score: 7.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/149311&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2018-5391 DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by the improper handling of the reassembly of fragmented IPv4 and IPv6 packets by the IP implementation. By sending specially crafted IP fragments with random offsets, a remote attacker could exploit this vulnerability to exhaust all available CPU resources and cause a denial of service.
CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/148388&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2018-9516 DESCRIPTION: Google Android could allow a local attacker to gain elevated privileges on the system, caused by an out-of-bounds write in hid_debug_events_read of drivers/hid/hid-debug.c. An attacker could exploit this vulnerability to escalate privileges.
CVSS Base Score: 8.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/152645&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2018-5390 DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by an error in the tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() functions. By sending specially crafted packets within ongoing TCP sessions, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/147950&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2018-5711 DESCRIPTION: PHP is vulnerable to a denial of service, caused by an integer signedness error in the imagecreatefromgif and imagecreatefromstring functions in the GD Graphics Library (aka libgd). By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to enter into an infinite loop.
CVSS Base Score: 5.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/137653&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

CVEID: CVE-2018-10876 DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a use-after-free in the ext4_ext_remove_space() function. By mounting and operating on a specially crafted ext4 filesystem image, a local attacker could exploit this vulnerability to cause the system to crash.
CVSS Base Score: 6.2
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/147834&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2018-10881 DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by an out-of-bound access in the ext4_get_group_info function. By mounting and operating on a specially crafted ext4 filesystem image, a local attacker could exploit this vulnerability to cause the system to crash.
CVSS Base Score: 6.2
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/147820&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2018-10882 DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by an out-of-bound write in the fs/jbd2/transaction.c code function. By unmounting a specially crafted ext4 filesystem image, a local attacker could exploit this vulnerability to cause the system to crash.
CVSS Base Score: 6.2
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/147831&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2018-13094 DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a flaw in the xfs_da_shrink_inode function in fs/xfs/libxfs/xfs_attr_leaf.c. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause a kernel OOPS.
CVSS Base Score: 5.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/145959&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

CVEID: CVE-2018-3646 DESCRIPTION: Multiple Intel CPU’'s could allow a local attacker to obtain sensitive information, caused by a flaw in the CPU speculative branch instruction execution feature. By conducting targeted cache side-channel attacks and via a terminal page fault, an attacker with guest OS privilege could exploit this vulnerability to leak information residing in the L1 data cache and read data belonging to different security contexts.
CVSS Base Score: 7.1
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/148319&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)

CVEID: CVE-2018-10877 DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by an out-of-bound access in the ext4_ext_drop_refs() function. By using a specially-crafted ext4 image, a local authenticated attacker could exploit this vulnerability to cause the system to crash.
CVSS Base Score: 3.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/147438&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2017-13168 DESCRIPTION: Google Android could allow a remote attacker to gain elevated privileges on the system, caused by a flaw in kernel scsi driver. By persuading a victim to open a specially-crafted file, an attacker could exploit this vulnerability to gain elevated privileges.
CVSS Base Score: 7.8
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/136062&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

CVEID: CVE-2018-10878 DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by an out-of-bounds write in the ext4 filesystem. By mounting and operating on a specially crafted ext4 filesystem image, a local attacker could exploit this vulnerability to cause the system to crash.
CVSS Base Score: 6.2
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/147833&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2018-10879 DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a use-after-free in the ext4_xattr_set_entry function. By renaming a file a specially crafted ext4 filesystem image, a local attacker could exploit this vulnerability to cause the system to crash.
CVSS Base Score: 6.2
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/147832&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2018-12233 DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a memory corruption in the ea_get function in fs/jfs/xattr.c. A local attacker could exploit this vulnerability to cause the system to crash.
CVSS Base Score: 4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/144767&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2018-13405 DESCRIPTION: Linux Kernel could allow a local attacker to gain elevated privileges on the system, caused by a flaw in the fs/inode.c:inode_init_owner() function. An attacker could exploit this vulnerability to create files with an unintended group ownership.
CVSS Base Score: 4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/146434&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID: CVE-2018-13406 DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by an integer overflow in the uvesafb_setcmap function in drivers/video/fbdev/uvesafb.c. A local attacker could exploit this vulnerability to crash the kernel or potentially gain elevated privileges.
CVSS Base Score: 7.8
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/147005&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2016-7942 DESCRIPTION: X.Org libX11 could allow a remote attacker to execute arbitrary code on the system, caused by an out-of-bounds read in the XGetImage() function. An attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base Score: 7.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/117541&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2016-7943 DESCRIPTION: X.Org libX11 could allow a remote attacker to execute arbitrary code on the system, caused by an out-of-bounds read in the XListFonts() function. An attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base Score: 7.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/117542&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2018-3639 DESCRIPTION: Multiple Intel CPU’'s could allow a local attacker to obtain sensitive information, caused by utilizing sequences of speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known. By conducting targeted cache side-channel attacks, an attacker could exploit this vulnerability to bypass security restrictions and gain read access to privileged memory. Note: This vulnerability is the Speculative Store Bypass (SSB), also known as Variant 4 or “SpectreNG”.
CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/143569&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)

CVEID: CVE-2018-3640 DESCRIPTION: Multiple Intel CPU’'s could allow a local attacker to obtain sensitive information, caused by utilizing sequences of speculative execution that perform speculative reads of system registers. By conducting targeted cache side-channel attacks, an attacker could exploit this vulnerability to determine the values stored in system registers. Note: This vulnerability is the Rogue System Register Read (RSRE), also known as Variant 3a.
CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/143570&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)

CVEID: CVE-2018-3620 DESCRIPTION: Multiple Intel CPU’'s could allow a local attacker to obtain sensitive information, caused by a flaw in the CPU speculative branch instruction execution feature. By conducting targeted cache side-channel attacks and via a terminal page fault, an attacker could exploit this vulnerability to leak information residing in the L1 data cache and read data belonging to different security contexts. Note: This vulnerability is also known as the “L1 Terminal Fault (L1TF)” or “Foreshadow” attack.
CVSS Base Score: 7.1
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/148318&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)

CVEID: CVE-2018-10021 DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by ata qc leak in the drivers/scsi/libsas/sas_scsi_host.c. By triggering certain failure conditions, a local attacker could exploit this vulnerability to cause the system to crash.
CVSS Base Score: 4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/141588&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2018-10087 DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a flaw in the kernel_wait4 function in kernel/exit.c. By triggering an attempted use of the -INT_MIN value, a local attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base Score: 6.2
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/141640&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2018-10124 DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a flaw in the kill_something_info function in kernel/signal.c. By using an INT_MIN argument, a local attacker could exploit this vulnerability to cause the system to crash.
CVSS Base Score: 4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/141698&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2018-7755 DESCRIPTION: Linux Kernel could allow a local attacker to bypass security restrictions, caused by a flaw in the fd_locked_ioctl function in drivers/block/floppy.c. By using the FDGETPRM ioctl and use the obtained kernel pointer to discover the location of kernel code and data, an attacker could exploit this vulnerability to bypass kernel security protections.
CVSS Base Score: 4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/140065&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID: CVE-2017-5715 DESCRIPTION: Intel Haswell Xeon, AMD PRO and ARM Cortex A57 CPUs could allow a local authenticated attacker to obtain sensitive information, caused by a branch target injection in the CPU speculative branch instruction execution feature. By conducting targeted cache side-channel attacks, an attacker could exploit this vulnerability to leak memory contents into a CPU cache and read host kernel memory.
CVSS Base Score: 6.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/137054&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)

CVEID: CVE-2018-0737 DESCRIPTION: OpenSSL could allow a local attacker to obtain sensitive information, caused by a cache-timing side channel attack in the RSA Key generation algorithm. An attacker with access to mount cache timing attacks during the RSA key generation process could exploit this vulnerability to recover the private key and obtain sensitive information.
CVSS Base Score: 3.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/141679&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2018-1152 DESCRIPTION: Libjpeg Turbo is vulnerable to a denial of service, caused by a divide-by-zero when processing a BMP image. By persuading a victim to open a specially crafted BMP image, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base Score: 3.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/145045&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID: CVE-2017-18258 DESCRIPTION: libxml2 is vulnerable to a denial of service, caused by a flaw in the xz_head function in xzlib.c. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base Score: 5.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/141432&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

CVEID: CVE-2018-5814 DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by multiple race condition errors when handling probe, disconnect and rebind operations in USB over IP daemon. By sending multiple USB over IP packets, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base Score: 6.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/144508&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2018-1116 DESCRIPTION: polkit is vulnerable to a denial of service, caused by a flaw in the implementation of the polkit_backend_interactive_authority_check_authorization function in polkitd. By sending a specially-crafted request, a local attacker could exploit this vulnerability to cause a denial of service or obtain sensitive information.
CVSS Base Score: 7.7
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/146202&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H)

CVEID: CVE-2016-10087 DESCRIPTION: libpng is vulnerable to a denial of service, caused by a NULL pointer dereference in the png_set_text_2 function. By loading a text chunk into a png structure, removing the text, and then adding another text chunk to the structure, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/124207&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2018-14404 DESCRIPTION: libxml2 is vulnerable to a denial of service, caused by a NULL pointer dereference in the xpath.c:xmlXPathCompOpEval() function. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base Score: 3.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/147260&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID: CVE-2018-7185 DESCRIPTION: NTP is vulnerable to a denial of service. By sending specially crafted packets, a remote authenticated attacker could exploit this vulnerability to reset authenticated interleaved association.
CVSS Base Score: 3.1
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139783&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2016-9318 DESCRIPTION: Libxml2 could allow a remote attacker to obtain sensitive information, caused by failure to offer a flag directly indicating the status of current document. By using a specially-crafted document to conduct a XML external entity (XXE) attack, an attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base Score: 5.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/119018&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)

CVEID: CVE-2017-18255 DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by an integer overflow in the perf_cpu_time_max_percent_handler function in kernel/events/core.c. By using a specially-crafted input, a local attacker could exploit this vulnerability to cause the system to crash.
CVSS Base Score: 4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/141329&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2018-7183 DESCRIPTION: NTP is vulnerable to a buffer overflow, caused by improper bounds checking by the decodearr function. By leveraging an ntpq query and sending a response with a crafted array, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CVSS Base Score: 5.6
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/140092&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2017-15896 DESCRIPTION: Node.js could allow a remote attacker to bypass security restrictions, caused by an error in OpenSSL within the “error state” mechanism when directly calling SSL_read() due to TLS handshake failure. An attacker could exploit this vulnerability to bypass the decryption or encryption process and perform unauthorized actions.
CVSS Base Score: 6.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/136225&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

CVEID: CVE-2018-12115 DESCRIPTION: Node.js is vulnerable to a denial of service, caused by an out-of-bounds write in Buffer. An attacker could exploit this vulnerability to write to memory outside of a Buffer’'s memory space, corrupt Buffer objects or cause the process to crash.
CVSS Base Score: 8.2
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/148426&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H)

CVEID: CVE-2018-7159 DESCRIPTION: Node.js http module could allow a remote attacker to bypass security restrictions, caused by the acceptance of incorrect Content-Length values, containing spaces within the value, in HTTP headers. An attacker could exploit this vulnerability to confuse the script and launch further attacks on the system.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/143448&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID: CVE-2018-7158 DESCRIPTION: Node.js path module is vulnerable to a denial of service. By sending a specially crafted file path, an attacker could exploit this vulnerability to cause a regular expression denial of service.
CVSS Base Score: 5.9
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/143449&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2018-1000168 DESCRIPTION: nghttp2 is vulnerable to a denial of service, caused by a NULL pointer dereference. By sending a specially-crafted packet, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/141584&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2018-7161 DESCRIPTION: Node.js is vulnerable to a denial of service, caused by an error within the http2 implementation. By interacting with the http2 server in an insecure manner, a remote attacker could exploit this vulnerability to cause the node server providing an http2 server to crash.
CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/144736&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2018-7167 DESCRIPTION: Node.js is vulnerable to a denial of service. By invoking Buffer.fill() or Buffer.alloc() , a remote attacker could exploit this vulnerability to cause the application to hang.
CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/144740&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2018-7160 DESCRIPTION: Node.js inspector module could allow a remote attacker to bypass security restrictions, caused by the failure to properly validate the Host header. An attacker could exploit this vulnerability to bypass same-origin policy and conduct a DNS rebinding attack.
CVSS Base Score: 5.8
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/143447&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L)

CVEID: CVE-2018-3665 DESCRIPTION: Intel Core-based microprocessors could allow a local attacker to obtain sensitive information, caused by utilizing the Lazy FP state restore technique for floating point state when context switching between application processes. By conducting targeted cache side-channel attacks, an attacker could exploit this vulnerability to determine register values of other processes. Note: This vulnerability is known as LazyFP.
CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/144757&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)

CVEID: CVE-2018-14567 DESCRIPTION: libxml2 is vulnerable to a denial of service, caused by an error in xzlib.c. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to enter into an infinite loop.
CVSS Base Score: 3.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/148541&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID: CVE-2018-14680 DESCRIPTION: An unspecified error in libmspack related to the failure to reject blank CHM filenames has an unknown impact and attack vector.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/147668&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID: CVE-2018-14681 DESCRIPTION: libmspack could allow a remote attacker to overwrite arbitrary files, caused by an error in the kwajd_read_headers function in mspack/kwajd.c in libmspack. An attacker could exploit this vulnerability using bad KWAJ file header extensions to cause a one or two byte overwrite.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/147669&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID: CVE-2018-14679 DESCRIPTION: libmspack is vulnerable to a denial of service, caused by an off-by-one error in the CHM PMGI/PMGL chunk number validity checks in mspack/chmd.c. A remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/147667&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2018-14682 DESCRIPTION: libmspack is vulnerable to a denial of service, caused by an off-by-one in mspack/chmd.c in the TOLOWER() macro for CHM decompression. A remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/147666&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2017-7526 DESCRIPTION: Libgcrypt could allow a remote attacker to obtain sensitive information, caused by a cache side-channel attack when using left-to-right sliding window method by the RSA-1024 implementation. By running arbitrary software where the private key is used, an attacker could exploit this vulnerability to obtain the RSA private key.
CVSS Base Score: 6.1
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/128271&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N)

CVEID: CVE-2018-9518 DESCRIPTION: Google Android could allow a local attacker to gain elevated privileges on the system, caused by an out-of-bounds write flaw in the nfc_llcp_build_sdreq_tlv function in llcp_commands.c. By sending a specially-crafted request, an attacker could exploit this vulnerability to gain elevated privileges.
CVSS Base Score: 8.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/154089&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2018-0495 DESCRIPTION: GnuPG Libgcrypt could allow a local attacker to obtain sensitive information, caused by a memory-cache side-channel attack on ECDSA signatures in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c. An attacker could exploit this vulnerability to recover ECDSA or DSA private keys.
CVSS Base Score: 5.1
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/144828&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID: CVE-2018-1000204 DESCRIPTION: Linux Kernel could allow a remote attacker to obtain sensitive information, caused by the improper handling of an SG_IO ioctl on /dev/sg0. By sending a specially-crafted argument, a remote attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/144557&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID: CVE-2017-13695 DESCRIPTION: Linux Kernel could allow a local authenticated attacker to obtain sensitive information, caused by a flaw in the acpi_ns_evaluate() function in drivers/acpi/acpica/nseval.c. By using a specially-rafted ACPI table, an attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base Score: 3.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/131022&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2017-18257 DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by an integer overflow in the __get_data_block function in fs/f2fs/data.c. By using specially-crafted open and fallocate system calls with an FS_IOC_FIEMAP ioctl, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base Score: 5.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/141431&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

IBM API Connect version 5.0.8.0-5.0.8.4

Remediation/Fixes

Affected Product Addressed in VRMF APAR Remediation/First Fix
IBM API Connect 5.0.8.0-5.0.8.4 5.0.8.5 fix pack LI80564

Addressed in IBM API Connect V5.0.8.5 fix pack.

Follow this link and find the APIConnect-Portal package.

http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EWebSphere&product=ibm/WebSphere/IBM+API+Connect&release=5.0.8.4&platform=All&function=all&source=fc

Workarounds and Mitigations

None

Related

ibm 19
ubuntu 20
nessus 59
openvas 56
cloudfoundry 8
osv 7
suse 6
debian 9
redhat 4
fedora 2
mageia 2
oraclelinux 2
amazon 1
centos 1
freebsd 1
nodejsblog 1
altlinux 1
ibm
ibm
Security Bulletin: IBM API Connect is affected by multiple third-party vulnerabilities (Node.js, nghttp2, Linux, Intel CPU, Android)
2018-10-31 20:10:01
Security Bulletin: Multiple vulnerabilities in Node.js affect IBM Integration Bus & IBM App Connect Enterprise V11
2018-11-20 12:45:01
Security Bulletin: IBM MQ Cloud Paks are vulnerable to multiple vulnerabilities in Perl (CVE-2018-18312 CVE-2018-18313 CVE-2018-18314 CVE-2018-18311)
2019-01-30 11:50:01
ubuntu
ubuntu
Linux kernel (Xenial HWE) vulnerabilities
2018-08-24 00:00:00
Linux kernel vulnerabilities
2018-08-24 00:00:00
Linux kernel (Xenial HWE) vulnerabilities
2018-07-02 00:00:00
nessus
nessus
Ubuntu 14.04 LTS : Linux kernel (Xenial HWE) vulnerabilities (USN-3753-2)
2018-08-24 00:00:00
Ubuntu 16.04 LTS : Linux kernel vulnerabilities (USN-3753-1)
2018-08-24 00:00:00
Ubuntu 16.04 LTS : Linux kernel vulnerabilities (USN-3696-1)
2018-07-03 00:00:00
openvas
openvas
Ubuntu: Security Advisory (USN-3753-2)
2018-08-25 00:00:00
Ubuntu: Security Advisory (USN-3753-1)
2018-08-25 00:00:00
Ubuntu: Security Advisory (USN-3696-2)
2018-07-03 00:00:00
cloudfoundry
cloudfoundry
USN-3753-2: Linux kernel (Xenial HWE) vulnerabilities | Cloud Foundry
2018-09-11 00:00:00
USN-3696-2: Linux kernel (Xenial HWE) vulnerabilities | Cloud Foundry
2018-07-10 00:00:00
USN-3776-2: Linux kernel (Xenial HWE) vulnerabilities | Cloud Foundry
2018-10-03 00:00:00
osv
osv
linux - security update
2018-10-03 00:00:00
perl - security update
2018-11-29 00:00:00
linux-4.9 - security update
2018-07-14 00:00:00
suse
suse
Security update for the Linux Kernel (important)
2018-08-17 12:32:52
Security update for the Linux Kernel (important)
2018-08-17 12:20:07
Security update for perl (moderate)
2018-12-23 00:11:37
debian
debian
[SECURITY] [DLA 1423-1] linux-4.9 new package
2018-07-18 15:37:11
[SECURITY] [DSA 4347-1] perl security update
2018-11-29 22:09:43
[SECURITY] [DSA 4347-1] perl security update
2018-11-29 22:09:43
redhat
redhat
(RHSA-2018:2949) Important: rh-nodejs8-nodejs security update
2018-10-18 09:47:33
(RHSA-2019:0010) Important: rh-perl524-perl security update
2019-01-02 15:45:54
(RHSA-2019:0001) Important: rh-perl526-perl security and enhancement update
2019-01-02 11:23:00
fedora
fedora
[SECURITY] Fedora 29 Update: perl-5.28.1-425.fc29
2018-12-02 08:28:33
[SECURITY] Fedora 26 Update: nodejs-6.14.0-1.fc26
2018-04-06 14:38:24
mageia
mageia
Updated nodejs packages fix security vulnerabilities
2019-09-15 16:24:16
Updated libx11 packages fix security vulnerabilities
2018-09-21 02:17:55
oraclelinux
oraclelinux
libmspack security update
2018-11-05 00:00:00
Unbreakable Enterprise kernel security update
2018-08-14 00:00:00
amazon
amazon
Low: libmspack
2019-01-23 23:27:00
centos
centos
libmspack security update
2018-11-15 18:48:49
freebsd
freebsd
node.js -- multiple vulnerabilities
2018-11-27 00:00:00
nodejsblog
nodejsblog
November 2018 Security Releases
2018-11-28 00:00:00
altlinux
altlinux
Security fix for the ALT Linux 10 package node version 10.14.1-alt1
2018-11-30 00:00:00

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

JSON
Related for 1615871DB6D900C69F1E3E99183BE8581ED1CED870E2C3B0E3B990E1C56F30E0
ibm19ubuntu20nessus59openvas56cloudfoundry8osv7suse6debian9redhat4fedora2mageia2oraclelinux2amazon1centos1freebsd1nodejsblog1altlinux1