IBM38DC3F8E6DA5AE751B580BDDC59111DD9C68031722EFD391A2B6BFEFC01091BESecurity Bulletin: Multiple Vulnerabilities in Multicloud Management Security Services
9.3 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
6.4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:N/A:P
0.003 Low
EPSS
Percentile
67.4%
Summary
Multiple vulnerabilities were fixed in IBM Cloud Pak for Multicloud Management Security Services
Vulnerability Details
CVEID:CVE-2022-31512
**DESCRIPTION:**flask-mvc could allow a remote attacker to traverse directories on the system, caused by the Flask send_file function being used unsafely. An attacker could send a specially-crafted URL request containing “dot dot” sequences (/…/) to view arbitrary files on the system or cause a denial of service.
CVSS Base score: 9.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/231110 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L)
CVEID:CVE-2022-31504
**DESCRIPTION:**BaiduWenkuSpider_flaskWeb could allow a remote attacker to traverse directories on the system, caused by the Flask send_file function being used unsafely. An attacker could send a specially-crafted URL request containing “dot dot” sequences (/…/) to view arbitrary files on the system or cause a denial of service.
CVSS Base score: 9.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/231126 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L)
CVEID:CVE-2022-31527
**DESCRIPTION:**flask-file-server could allow a remote attacker to traverse directories on the system, caused by the Flask send_file function being used unsafely. An attacker could send a specially-crafted URL request containing “dot dot” sequences (/…/) to view arbitrary files on the system or cause a denial of service.
CVSS Base score: 9.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/231055 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L)
CVEID:CVE-2022-32148
**DESCRIPTION:**Golang Go could allow a remote attacker to obtain sensitive information, caused by improper exposure of client IP addresses in net/http. By calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for the X-Forwarded-For header, an attacker could exploit this vulnerability to obtain the client IP address information, and use this information to launch further attacks against the affected system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/233148 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM Cloud Pak for Multicloud Management Security Services | 2.2 |
| IBM Cloud Pak for Multicloud Management Security Services | 2.3 |
Remediation/Fixes
Upgrade to IBM Cloud Pak for Multicloud Management 2.3 Fix Pack 6 by following the instructions in
<https://www.ibm.com/docs/en/cloud-paks/cp-management/2.3.x?topic=upgrade-upgrading-fix-pack-6>
Workarounds and Mitigations
None
| CPE | Name | Operator | Version |
|---|---|---|---|
| ibm cloud pak for multicloud management | eq | 2.2 | |
| ibm cloud pak for multicloud management | eq | 2.3 |
Related
9.3 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
6.4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:N/A:P
0.003 Low
EPSS
Percentile
67.4%