Lucene search

K
ibmIBM1B7056479CF1227AEA84129E7E4C02C60090C09BE416ACB03485305ECE2B669B
HistoryNov 09, 2021 - 6:30 p.m.

Security Bulletin: A security vulnerability in Node.js tar module affects IBM Cloud Pak for Multicloud Management Managed Services

2021-11-0918:30:13
www.ibm.com
14

EPSS

0.007

Percentile

80.2%

Summary

A security vulnerability in Node.js tar module affects IBM Cloud Pak for Multicloud Management Managed Services.

Vulnerability Details

CVEID:CVE-2021-32803
**DESCRIPTION:**Node.js tar module could allow a local attacker to traverse directories on the system, caused by insufficient symlink protection. An attacker could use a specially-crafted tar file containing “dot dot” sequences (/…/) to create or overwrite arbitrary files on the system.
CVSS Base score: 8.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/206717 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Cloud Pak for Multicloud Management Infrastructure Management All

Remediation/Fixes

Upgrade to IBM Cloud Pak for Multicloud Management 2.3.x Fix Pack 2 by following the instructions at <https://www.ibm.com/docs/en/cloud-paks/cp-management/2.3.x?topic=upgrade-upgrading-fix-pack-2.&gt;

Workarounds and Mitigations

None