Security Bulletin: Security vulnerability has been identified in BigFix Platform shipped with IBM License Metric Tool.

Summary

BigFix Platform is shipped with IBM License Metric Tool. Information about a security vulnerability affecting BigFix Platform has been published in a security bulletin.

Vulnerability Details

CVEID:CVE-2019-5435
**DESCRIPTION:**cURL libcurl is vulnerable to a heap-based buffer overflow, caused by multiple integer overflows in the curl_url_set() function. By sending an overly long string, a remote attacker could overflow a buffer and execute arbitrary code on the system.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/161429 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID:CVE-2017-12652
**DESCRIPTION:**An unspecified error with improper validation of length of chunks against the user limit in libpng has an unknown impact and attack vector.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/163589 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2010-1205
**DESCRIPTION:**libpng is vulnerable to a buffer overflow, caused by improper bounds checking by progressive applications when handling image row data. By sending an extra image row data beyond the reported height in the header, a remote attacker could overflow a buffer and execute arbitrary code on the system with the privileges of the victim.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/59815 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVEID:CVE-2020-11022
**DESCRIPTION:**jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the jQuery.htmlPrefilter method. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/181349 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID:CVE-2020-11023
**DESCRIPTION:**jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the option elements. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/181350 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

Remediation/Fixes

Refer to the following security bulletin for vulnerability details and information about fixes addressed by BigFix Platform:

https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0081263

Workarounds and Mitigations

None