Lucene search

K
ibmIBM2A5170062F6C86C8505AA0F2C084911A251553EC783377E9538FAC7BA2C4C94A
HistoryJun 20, 2023 - 2:27 p.m.

Security Bulletin: A vulnerability in Pypa Setuptools may affect IBM Robotic Process Automation for Cloud Pak and result in a denial of service (CVE-2022-40897)

2023-06-2014:27:06
www.ibm.com
4
pypa setuptools
ibm robotic process automation
cloud pak
denial of service
cve-2022-40897
update
fixed versions

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

0.005 Low

EPSS

Percentile

77.5%

Summary

Pypa Setuptools is used by IBM Robotic Process Automation for Cloud Pak as part of Watson NLP. (CVE-2022-40897)

Vulnerability Details

CVEID:CVE-2022-40897
**DESCRIPTION:**Pypa Setuptools is vulnerable to a denial of service, caused by improper input validation. By sending request with a specially crafted regular expression, an remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/243028 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s)|**Version(s)
**
—|—
IBM Robotic Process Automation for Cloud Pak 21.0| 21.0.0 - 21.0.7.2
IBM Robotic Process Automation for Cloud Pak 23.0| 23.0.0 - 23.0.3

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now.

Product(s) **Version(s) number and/or range ** Remediation/Fix/Instructions
IBM Robotic Process Automation for Cloud Pak 21.0 21.0.0 - 21.0.7.2 Update to 21.0.7.3 or higher using the following instructions.
IBM Robotic Process Automation for Cloud Pak 23.0 23.0.0 - 23.0.3 Update to 23.0.4 or higher using the following instructions.

Workarounds and Mitigations

None.

Affected configurations

Vulners
Node
ibmrobotic_process_automationMatch21.0.0
OR
ibmrobotic_process_automationMatch21.0.7.2
OR
ibmrobotic_process_automationMatch23.0.0
OR
ibmrobotic_process_automationMatch23.0.3

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

0.005 Low

EPSS

Percentile

77.5%