Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM22F61E962B7F5259E1791ABB6E8155212FCB46456934B6FD5151CEB3FB670DAD
HistoryMay 31, 2023 - 5:24 p.m.

Security Bulletin: Multiple Vulnerabilities in CloudPak for Watson AIOPs

2023-05-3117:24:27
www.ibm.com
4
ibm cloud pak
watson aiops
vulnerabilities
security restrictions
arbitrary code execution
remediation
node.js
vmware tanzu
spring framework

0.016 Low

EPSS

Percentile

87.3%

JSON

Summary

Multiple vulnerabilities were fixed in IBM Cloud Pak for Watson AIOps version 3.7.2

Vulnerability Details

CVEID:CVE-2023-20860
**DESCRIPTION:**VMware Tanzu Spring Framework could allow a remote attacker to bypass security restrictions, caused by the use of an un-prefixed double wildcard pattern with the mvcRequestMatcher in Spring Security configuration. An attacker could exploit this vulnerability to create a mismatch in pattern matching between Spring Security and Spring MVC.
CVSS Base score: 9.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/250679 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)

CVEID:CVE-2023-29199
**DESCRIPTION:**Node.js vm2 module could allow a remote attacker to execute arbitrary code on the system, caused by a sandbox bypass flaw in the handleException() function in the source code transformer. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code in host context.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/252624 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Cloud Pak for Watson AIOps 3.x

Remediation/Fixes

IBM strongly suggests that you address the vulnerabilities now for all affected products/versions listed above by installing Fix:

https://www.ibm.com/docs/en/cloud-paks/cloud-pak-watson-aiops/3.7.2?topic=upgrading

Workarounds and Mitigations

None

CPE configuration

Vulners
ibmwebsphere_automation_for_ibm_cloud_pak_for_watson_aiopsMatch3.7.2
CPENameOperatorVersion
ibm cloud pak for watson aiopseq3.7.2

Related

github 2
cvelist 2
redhatcve 3
osv 4
nvd 2
veracode 2
ibm 24
nessus 9
prion 2
openvas 5
cve 2
ubuntucve 1
debiancve 1
githubexploit 1
f5 1
atlassian 1
spring 1
redhat 16
thn 1
oracle 3
github
github
vm2 Sandbox Escape vulnerability
2023-04-12 20:42:44
Spring Framework is vulnerable to security bypass via mvcRequestMatcher pattern mismatch
2023-03-28 00:34:28
cvelist
cvelist
CVE-2023-29199 vm2 Sandbox escape vulnerability
2023-04-14 18:37:03
CVE-2023-20860
2023-03-27 00:00:00
redhatcve
redhatcve
CVE-2023-29199
2023-04-17 15:32:14
CVE-2023-20861
2023-03-24 13:07:29
CVE-2023-20860
2023-03-24 13:07:33
osv
osv
CVE-2023-29199
2023-04-14 19:15:09
vm2 Sandbox Escape vulnerability
2023-04-12 20:42:44
CVE-2023-20860
2023-03-27 22:15:21
nvd
nvd
CVE-2023-29199
2023-04-14 19:15:09
CVE-2023-20860
2023-03-27 22:15:21
veracode
veracode
Arbitrary Code Execution
2023-04-18 10:11:59
Security Bypass
2023-03-30 02:11:25
ibm
ibm
Security Bulletin: IBM App Connect Enterprise Certified Container IntegrationServer and Integration Runtime operands that run Designer flows containing a Box node may be vulnerable to arbitrary code execution due to [CVE-2023-29199]
2023-04-27 15:52:44
Security Bulletin: IBM Sterling Connect:Direct for UNIX is affected by security restriction bypass due to Spring Framework [CVE-2023-20860]
2023-05-18 17:28:21
Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a security bypass in VMware Tanzu Spring Framework [CVE-2023-20860]
2023-06-28 19:44:02
nessus
nessus
Node.js Module vm2 < 3.9.16 Sandbox Breakout
2023-09-14 00:00:00
Spring Framework 5.3.x < 5.3.26 / 6.0.x < 6.0.7 Security Bypass (CVE-2023-20860)
2023-05-04 00:00:00
RHEL 8 : Red Hat Virtualization (RHSA-2023:3771)
2023-06-22 00:00:00
prion
prion
Remote code execution
2023-04-14 19:15:00
Security feature bypass
2023-03-27 22:15:00
openvas
openvas
vm2 < 3.9.16 Sandbox Escape Vulnerability
2023-05-02 00:00:00
VMware Spring Framework 5.3.x < 5.3.26, 6.0.x < 6.0.7 Security Bypass Vulnerability - Windows
2023-03-21 00:00:00
VMware Spring Framework < 5.2.23, 5.3.x < 5.3.26, 6.0.x < 6.0.7 DoS Vulnerability - Windows
2023-03-21 00:00:00
cve
cve
CVE-2023-29199
2023-04-14 19:15:09
CVE-2023-20860
2023-03-27 22:15:21
ubuntucve
ubuntucve
CVE-2023-20860
2023-03-27 00:00:00
debiancve
debiancve
CVE-2023-20860
2023-03-27 22:15:21
githubexploit
githubexploit
Exploit for CVE-2023-20860
2023-03-24 07:23:52
f5
f5
K000134500 : Spring Framework vulnerability CVE-2023-20860
2023-05-08 00:00:00
atlassian
atlassian
Upgrade spring-core for CVE-2023-20860
2023-05-17 06:46:56
spring
spring
This Week in Spring - March 21st, 2023
2023-03-21 00:00:00
redhat
redhat
(RHSA-2023:3771) Important: Red Hat Virtualization security and bug fix update
2023-06-21 19:50:23
(RHSA-2023:1897) Critical: Red Hat Advanced Cluster Management 2.6 hotfix security update for console
2023-04-20 02:06:34
(RHSA-2023:1894) Critical: Multicluster Engine for Kubernetes 2.1 hotfix security update for console
2023-04-20 01:44:30
thn
thn
Critical Flaws in vm2 JavaScript Library Can Lead to Remote Code Execution
2023-04-19 04:53:00
oracle
oracle
Oracle Critical Patch Update Advisory - October 2023
2023-10-17 00:00:00
Oracle Critical Patch Update Advisory - July 2023
2023-07-18 00:00:00
Oracle Critical Patch Update Advisory - April 2024
2024-04-16 00:00:00

0.016 Low

EPSS

Percentile

87.3%

JSON
Related for 22F61E962B7F5259E1791ABB6E8155212FCB46456934B6FD5151CEB3FB670DAD
github2cvelist2redhatcve3osv4nvd2veracode2ibm24nessus9prion2openvas5cve2ubuntucve1debiancve1githubexploit1f51atlassian1spring1redhat16thn1oracle3