Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM23F232BAB10CC3280CBC55ACA0C977BDE83DAAFBB4A77F4C0DB9CF98D608A919
HistoryJan 15, 2024 - 7:45 a.m.

Security Bulletin: IBM Automation Decision Services December 2023 - Multiple CVEs addressed

2024-01-1507:45:03
www.ibm.com
8
ibm automation decision services
vulnerability
multiple cves
python-requests
axios
apache commons compress
gnu emacs

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

8.1 High

AI Score

Confidence

High

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.002 Low

EPSS

Percentile

55.9%

JSON

Summary

IBM Automation Decision Services is vulnerable to denial of service attacks in third party and open source used in the product for various functions. See full list below. This vulnerability has been addressed.

Vulnerability Details

CVEID:CVE-2023-32681
**DESCRIPTION:**python-requests could allow a remote attacker to obtain sensitive information, caused by the leaking of Proxy-Authorization headers to destination servers during redirects to an HTTPS origin. By persuading a victim to click on a specially crafted URL, an attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/256114 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N)

CVEID:CVE-2023-45857
**DESCRIPTION:**Axios is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By inserting the X-XSRF-TOKEN header using the secret XSRF-TOKEN cookie value in all requests to any server when the XSRF-TOKEN0 cookie is available, and the withCredentials setting is turned on, an attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.
CVSS Base score: 7.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/270574 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N)

CVEID:CVE-2023-42503
**DESCRIPTION:**Apache Commons Compress is vulnerable to a denial of service, caused by improper input validation. By persuading a victim to open a specially crafted TAR file, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/266096 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

CVEID:CVE-2022-48337
**DESCRIPTION:**GNU Emacs could allow a local attacker to execute arbitrary commands on the system, caused by a flaw in the lib-src/etags.c. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary commands on the system.
CVSS Base score: 8.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/248046 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2022-48339
**DESCRIPTION:**GNU Emacs could allow a local attacker to execute arbitrary commands on the system, caused by a flaw in the hfy-istext-command function. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary commands on the system.
CVSS Base score: 8.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/248054 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Automation Decision Services 23.0.1

Remediation/Fixes

IBM Automation Decision Services 23.0.1:
Interim fix 006 is available:

Workarounds and Mitigations

None

Related

nessus 60
redhat 8
openvas 48
almalinux 3
oraclelinux 4
osv 7
debian 2
amazon 3
mageia 1
freebsd 1
fedora 4
photon 2
ibm 24
cgr 3
veracode 3
wolfi 2
ubuntucve 3
githubexploit 3
prion 4
cve 2
redhatcve 3
github 1
debiancve 1
alpinelinux 1
redos 1
cbl_mariner 2
rosalinux 1
ubuntu 1
rocky 1
nessus
nessus
EulerOS 2.0 SP9 : emacs (EulerOS-SA-2023-1865)
2023-05-13 00:00:00
SUSE SLES12 Security Update : emacs (SUSE-SU-2023:0597-1)
2023-03-02 00:00:00
EulerOS Virtualization 2.9.0 : emacs (EulerOS-SA-2023-2016)
2023-06-02 00:00:00
redhat
redhat
(RHSA-2023:7083) Moderate: emacs security update
2023-11-14 08:44:40
(RHSA-2024:1408) Moderate: emacs security update
2024-03-19 16:35:16
(RHSA-2024:1103) Moderate: emacs security update
2024-03-05 10:44:53
openvas
openvas
Huawei EulerOS: Security Advisory for emacs (EulerOS-SA-2023-2016)
2023-06-01 00:00:00
Huawei EulerOS: Security Advisory for emacs (EulerOS-SA-2023-3124)
2023-11-09 00:00:00
Huawei EulerOS: Security Advisory for emacs (EulerOS-SA-2023-3428)
2023-12-15 00:00:00
almalinux
almalinux
Moderate: emacs security update
2023-11-14 00:00:00
Important: emacs security update
2023-05-09 00:00:00
Moderate: python27:2.7 security and bug fix update
2023-11-14 00:00:00
oraclelinux
oraclelinux
emacs security update
2023-11-17 00:00:00
emacs security update
2023-05-17 00:00:00
python-requests security update
2023-08-02 00:00:00
osv
osv
Moderate: emacs security update
2023-11-14 00:00:00
emacs - security update
2023-05-10 00:00:00
emacs - security update
2023-02-23 00:00:00
debian
debian
[SECURITY] [DSA 5360-1] emacs security update
2023-02-23 22:12:28
[SECURITY] [DLA 3416-1] emacs security update
2023-05-09 23:02:45
amazon
amazon
Important: emacs
2023-03-30 22:50:00
Important: emacs
2023-03-02 22:35:00
Medium: python3-requests
2023-07-05 22:01:00
mageia
mageia
Updated emacs packages fix security vulnerability
2023-03-02 00:14:31
freebsd
freebsd
emacs -- multiple vulnerabilities
2022-12-06 00:00:00
fedora
fedora
[SECURITY] Fedora 38 Update: emacs-28.3-0.rc1.fc38
2023-09-28 01:37:30
[SECURITY] Fedora 37 Update: emacs-28.3-0.rc1.fc37
2023-10-14 01:27:02
[SECURITY] Fedora 38 Update: python-requests-2.28.2-2.fc38
2023-05-25 01:12:12
photon
photon
Critical Photon OS Security Update - PHSA-2023-4.0-0348
2023-03-06 00:00:00
Critical Photon OS Security Update - PHSA-2023-3.0-0544
2023-03-06 00:00:00
ibm
ibm
Security Bulletin: IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Apache Commons Compress
2023-11-29 14:47:06
Security Bulletin: IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to Axios icross-site request forgery, vulnerability ( CVE-2023-45857)
2024-02-05 20:15:49
Security Bulletin: axios-1.5.0.tgz and axios-1.5.1.tgz is vulnerable to CVE-2023-45857 used in IBM Maximo Application Suite - Edge Data Collector
2024-03-05 09:15:21
cgr
cgr
CVE-2023-42503 vulnerabilities
2024-05-11 17:37:21
CVE-2023-45857 vulnerabilities
2024-05-11 17:37:21
CVE-2023-32681 vulnerabilities
2024-05-11 17:37:21
veracode
veracode
Denial Of Service (DoS)
2023-10-09 15:43:22
Cross-Site Request Forgery
2023-11-09 07:07:08
Command Injection
2023-03-11 19:20:06
wolfi
wolfi
CVE-2023-42503 vulnerabilities
2024-05-11 15:55:17
CVE-2023-45857 vulnerabilities
2024-05-11 15:55:17
ubuntucve
ubuntucve
CVE-2023-45857
2023-11-08 00:00:00
CVE-2022-48339
2023-02-20 00:00:00
CVE-2022-48337
2023-02-20 00:00:00
githubexploit
githubexploit
Exploit for Cross-Site Request Forgery (CSRF) in Axios
2023-10-26 04:18:03
Exploit for CVE-2023-45857
2023-10-18 12:19:34
Exploit for Cross-Site Request Forgery (CSRF) in Axios
2023-11-24 22:42:56
prion
prion
Design/Logic Flaw
2023-11-08 21:15:00
Input validation
2023-02-20 23:15:00
Command injection
2023-02-20 23:15:00
cve
cve
CVE-2023-45857
2023-11-08 21:15:08
CVE-2023-32681
2023-05-26 18:15:14
redhatcve
redhatcve
CVE-2023-45857
2023-11-10 00:17:17
CVE-2022-48337
2023-02-21 06:29:56
CVE-2023-32681
2023-05-24 03:40:09
github
github
Axios Cross-Site Request Forgery Vulnerability
2023-11-08 21:30:37
debiancve
debiancve
CVE-2023-45857
2023-11-08 21:15:08
alpinelinux
alpinelinux
CVE-2022-48337
2023-02-20 23:15:00
redos
redos
ROS-20240408-11
2024-04-08 00:00:00
cbl_mariner
cbl_mariner
CVE-2023-32681 affecting package python-requests for versions less than 2.27.1-6
2023-06-27 20:56:13
CVE-2022-48339 affecting package emacs for versions less than 28.2-4
2023-03-17 17:25:17
rosalinux
rosalinux
Advisory ROSA-SA-2023-2191
2023-07-18 11:16:22
ubuntu
ubuntu
Requests vulnerability
2023-06-15 00:00:00
rocky
rocky
python-requests security update
2023-08-28 18:40:41

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

8.1 High

AI Score

Confidence

High

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.002 Low

EPSS

Percentile

55.9%

JSON
Related for 23F232BAB10CC3280CBC55ACA0C977BDE83DAAFBB4A77F4C0DB9CF98D608A919
nessus60redhat8openvas48almalinux3oraclelinux4osv7debian2amazon3mageia1freebsd1fedora4photon2ibm24cgr3veracode3wolfi2ubuntucve3githubexploit3prion4cve2redhatcve3github1debiancve1alpinelinux1redos1cbl_mariner2rosalinux1ubuntu1rocky1