IBM Planning Analytics Cartridge for IBM Cloud Pak for Data 4.8.0 resolves vulnerabilities in Golang Go, Gin-Gonic Gin and libp2p go-libp2p. A vulnerability where sensitive information could be shared due to insecure network communication has also been addressed. Please refer to the table in the Related Information section for vulnerability impact.
CVEID:CVE-2023-26024
**DESCRIPTION:**IBM Planning Analytics on Cloud Pak for Data could allow an attacker on a shared network to obtain sensitive information caused by insecure network communication.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/247898 for the current score.
CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVEID:CVE-2023-39321
**DESCRIPTION:**Golang Go is vulnerable to a denial of service, caused by a flaw when processing partial post-handshake message in QUICConn.HandleData in the crypto/tls package. By sending a specially crafted post-handshake message for a QUIC connection, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/265858 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2023-29401
**DESCRIPTION:**Gin-Gonic Gin Web Framework could allow a remote attacker to bypass security restrictions, caused by improper input validation by the filename parameter of the Context.FileAttachment function. By using a specially-crafted attachment file name, an attacker could exploit this vulnerability to modify the Content-Disposition header.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/255449 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
CVEID:CVE-2023-39322
**DESCRIPTION:**Golang Go is vulnerable to a denial of service, caused by an uncontrolled resource consumption flaw when reading post-handshake messages. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause unbounded memory growth, and results in a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/265863 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2023-39533
**DESCRIPTION:**libp2p go-libp2p is vulnerable to a denial of service, caused by a flaw during the signature verification. By sending a specially crafted request using large RSA keys, a remote attacker could exploit this vulnerability to exhaust available resource, and results in a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/263110 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Affected Product(s) | Version(s) |
---|---|
IBM Planning Analytics on Cloud Pak for Data | 4.0 |
It is strongly recommended that you apply the most recent security update:
Affected Product(s) | Version(s) | Fix |
---|---|---|
IBM Planning Analytics Cartridge for IBM Cloud Pak for Data | 4.0 | Upgrading Planning Analytics |
None
CPE | Name | Operator | Version |
---|---|---|---|
ibm planning analytics local | eq | 2.0 |