Lucene search

K
ibmIBM2284CC06A4E6F5751D394324DBF2B435A87AA6225257C50B4F1812CBCD37086A
HistoryNov 23, 2023 - 9:30 p.m.

Security Bulletin: A vulnerability in Python may affect IBM Robotic Process Automation for Cloud Pak and result in an attacker sending invalid emails. (CVE-2023-27043).

2023-11-2321:30:00
www.ibm.com
38
python vulnerability
ibm robotic process automation
cloud pak
invalid emails
security fixes
update instructions

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

EPSS

0.002

Percentile

58.7%

Summary

There is a vulnerability in Python used by IBM Robotic Process Automation for Cloud Pak as part of Watson NLP. An attacker could exploit this vulnerability to send messages from e-mail addresses that would otherwise be rejected. (CVE-2020-23064). This bulletin identifies the security fixes to apply to address this vulnerability.

Vulnerability Details

CVEID:CVE-2023-27043
**DESCRIPTION:**Python could allow a remote attacker to bypass security restrictions, caused by a parsing flaw in the email.utils.parsaddr() and email.utils.getaddresses() functions. By sending a specially-crafted e-mail addresses with a special character, an attacker could exploit this vulnerability to send messages from e-mail addresses that would otherwise be rejected.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/253191 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Robotic Process Automation for Cloud Pak 21.0.0 - 21.0.7.9, 23.0.0 - 23.0.10

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now.

Product(s) **Version(s) number and/or range ** Remediation/Fix/Instructions
IBM Robotic Process Automation for Cloud Pak 21.0.0 - 21.0.7.9 Update to 21.0.7.10 or higher using the following instructions.

IBM Robotic Process Automation for Cloud Pak

| 23.0.0 - 23.0.10| Update to 23.0.11 or higher using the following instructions.

Workarounds and Mitigations

None.

Affected configurations

Vulners
Node
ibmrobotic_process_automationMatch21.0.0
OR
ibmrobotic_process_automationMatch21.0.7.9
OR
ibmrobotic_process_automationMatch23.0.0
OR
ibmrobotic_process_automationMatch23.0.10
VendorProductVersionCPE
ibmrobotic_process_automation21.0.0cpe:2.3:a:ibm:robotic_process_automation:21.0.0:*:*:*:*:*:*:*
ibmrobotic_process_automation21.0.7.9cpe:2.3:a:ibm:robotic_process_automation:21.0.7.9:*:*:*:*:*:*:*
ibmrobotic_process_automation23.0.0cpe:2.3:a:ibm:robotic_process_automation:23.0.0:*:*:*:*:*:*:*
ibmrobotic_process_automation23.0.10cpe:2.3:a:ibm:robotic_process_automation:23.0.10:*:*:*:*:*:*:*

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

EPSS

0.002

Percentile

58.7%