Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM3C1FBA4D42604EAAC7D779A8FF0E91C3C77356E4B9960B4C6BF9711C6D103BC3
HistoryApr 01, 2023 - 2:09 p.m.

Security Bulletin: Security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for March 2023

2023-04-0114:09:24
www.ibm.com
41

0.967 High

EPSS

Percentile

99.7%

JSON

Summary

In addition to many updates of operating system level packages, the following security vulnerability is addressed with IBM Cloud Pak for Business Automation 21.0.3-IF019 and 22.0.2-IF003.

Vulnerability Details

CVEID:CVE-2023-24998
**DESCRIPTION:**Apache Commons FileUpload and Tomcat are vulnerable to a denial of service, caused by not limit the number of request parts to be processed in the file upload function. By sending a specially-crafted request with series of uploads, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/247895 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2023-24957
**DESCRIPTION:**IBM Business Automation Workflow is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/246115 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

CVEID:CVE-2022-24999
**DESCRIPTION:**Express.js Express is vulnerable to a denial of service, caused by a prototype pollution flaw in qs. By adding or modifying properties of Object.prototype using a proto or constructor payload, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/240815 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2022-25901
**DESCRIPTION:**Node.js cookiejar module is vulnerable to a denial of service, caused by an insecure regular expression in the Cookie.parse function. A remote attacker could exploit this vulnerability to cause a regular expression denial of service.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/245045 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2022-39353
**DESCRIPTION:**Node.js xmldom module could allow a remote attacker to bypass security restrictions, caused by the use of multiple top level elements. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass authentication and obtain administrative access.
CVSS Base score: 9.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/239426 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H)

CVEID:CVE-2023-25194
**DESCRIPTION:**Apache Kafka could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unsafe deserialization when configuring the connector via the Kafka Connect REST API. By sending specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service on the system.
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/246698 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

**IBM X-Force ID:**177835
**DESCRIPTION:**Apache Commons Codec could allow a remote attacker to obtain sensitive information, caused by the improper validation of input. An attacker could exploit this vulnerability using a method call to obtain sensitive information.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/177835 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

Affected Product(s) Version(s) Status
IBM Cloud Pak for Business Automation V22.0.2 - V22.0.2-IF002 affected
IBM Cloud Pak for Business Automation V21.0.3 - V21.0.3-IF018 affected
IBM Cloud Pak for Business Automation V22.0.1 - V22.0.1-IF006 and later fixes
V21.0.2 - V21.0.2-IF012 and later fixes
V21.0.1 - V21.0.1-IF007 and later fixes
V20.0.1 - V20.0.3 and later fixes
V19.0.1 - V19.0.3 and later fixes
V18.0.0 - V18.0.2 and later fixes affected

Remediation/Fixes

Any open source library may be included in one or more sub-components of IBM Cloud Pak for Business Automation. Open source updates are not always synchronized across all components. The CVE in this bulletin are specifically addressed by

CVE ID Addressed in component
CVE-2023-24998 Business Automation Navigator, Operational Decision Management
CVE-2023-24957 Business Automation Workflow, Business Automation Studio
CVE-2022-24999 Automation Decision Services
CVE-2022-25901 Automation Decision Services
CVE-2022-39353 Business Automation Application
177835 Automation Decision Services
CVE-2023-25194 Business Automation Workflow
Affected Product(s) Version(s) Remediation / Fix
IBM Cloud Pak for Business Automation V22.0.2 - V22.0.2-IF002 Apply security fix 22.0.2-IF003
IBM Cloud Pak for Business Automation V21.0.3 - V21.0.3-IF018 Apply security fix 21.0.3-IF019 or upgrade to 22.0.2-IF003
IBM Cloud Pak for Business Automation V21.0.1 - V21.0.1-IF008
V20.0.1 - V20.0.3
V19.0.1 - V19.0.3
V18.0.0 - V18.0.2 Upgrade to 21.0.3-IF019 or 22.0.2-IF003

Workarounds and Mitigations

None

Related

cve 4
cvelist 5
prion 5
ibm 102
osv 8
debian 2
nessus 18
ubuntucve 4
openvas 12
veracode 5
debiancve 3
redhatcve 4
cnvd 2
nuclei 1
atlassian 1
github 4
zdt 1
githubexploit 6
packetstorm 1
rapid7blog 1
cbl_mariner 1
mageia 2
vaadin 1
cgr 1
tomcat 2
f5 1
kaspersky 2
cve
cve
CVE-2023-24957
2023-05-06 03:15:09
CVE-2023-25194
2023-02-07 20:15:09
CVE-2022-25901
2023-01-18 05:15:11
cvelist
cvelist
CVE-2023-24957 IBM Business Automation Workflow cross-site scripting
2023-05-06 02:05:46
CVE-2023-25194 Apache Kafka Connect API: Possible RCE/Denial of service attack via SASL JAAS JndiLoginModule configuration using Kafka Connect
2023-02-07 19:11:22
CVE-2022-25901
2023-01-18 05:00:01
prion
prion
Cross site scripting
2023-05-06 03:15:00
Design/Logic Flaw
2023-01-18 05:15:00
Deserialization of untrusted data
2023-02-07 20:15:00
ibm
ibm
Security Bulletin: Stored cross-site vulnerability when performing a document upload using Responsive Document Explorer affect IBM Business Automation Workflow - CVE-2023-24957
2023-03-23 16:43:19
Security Bulletin: Vulnerability in Apache Kafka may affect IBM Business Automation Workflow - CVE-2023-25194
2023-03-31 13:48:35
Security Bulletin: IBM App Connect Enterprise Certified Container operands may be vulnerable to privilege escalation due to CVE-2022-39353
2022-12-01 16:35:30
osv
osv
Apache Kafka Connect vulnerable to Deserialization of Untrusted Data
2023-02-07 21:30:23
cookiejar Regular Expression Denial of Service via Cookie.parse function
2023-01-18 06:31:03
node-cookiejar - security update
2023-09-11 00:00:00
debian
debian
[SECURITY] [DLA 3561-1] node-cookiejar security update
2023-09-12 01:01:11
[SECURITY] [DLA 3299-1] node-qs security update
2023-01-30 22:01:35
nessus
nessus
Debian DLA-3561-1 : node-cookiejar - LTS security update
2023-09-12 00:00:00
Debian DLA-3299-1 : node-qs - LTS security update
2023-01-31 00:00:00
Apache Tomcat 10.1.0.M1 < 10.1.5
2023-02-20 00:00:00
ubuntucve
ubuntucve
CVE-2022-25901
2023-01-18 00:00:00
CVE-2023-25194
2023-02-07 00:00:00
CVE-2022-24999
2022-11-26 00:00:00
openvas
openvas
Debian: Security Advisory (DLA-3561-1)
2023-09-12 00:00:00
Debian: Security Advisory (DLA-3299-1)
2023-01-31 00:00:00
Mageia: Security Advisory (MGASA-2023-0053)
2023-03-28 00:00:00
veracode
veracode
Regular Expression Denial Of Service (ReDoS)
2023-01-24 04:53:25
Remote Code Execution (RCE)
2023-05-22 13:41:28
Improper Input Validation
2022-11-03 05:26:31
debiancve
debiancve
CVE-2022-25901
2023-01-18 05:15:00
CVE-2022-24999
2022-11-26 22:15:00
CVE-2023-24998
2023-02-20 16:15:10
redhatcve
redhatcve
CVE-2022-25901
2023-01-18 09:05:21
CVE-2023-25194
2023-06-21 16:24:00
CVE-2022-24999
2022-12-02 14:26:10
cnvd
cnvd
Apache Kafka code issue vulnerability (CNVD-2023-23554)
2023-02-17 00:00:00
Apache Commons FileUpload Denial of Service Vulnerability (CNVD-2023-23552)
2023-02-22 00:00:00
nuclei
nuclei
Apache Druid Kafka Connect - Remote Code Execution
2023-04-23 20:43:19
atlassian
atlassian
Apache Kafka Connect API Vulnerability in Bitbucket Data Center and Server
2023-10-06 17:45:41
github
github
Apache Kafka Connect vulnerable to Deserialization of Untrusted Data
2023-02-07 21:30:23
cookiejar Regular Expression Denial of Service via Cookie.parse function
2023-01-18 06:31:03
qs vulnerable to Prototype Pollution
2022-11-27 00:30:50
zdt
zdt
Apache Druid JNDI Injection Remote Code Execution Exploit
2023-06-27 00:00:00
githubexploit
githubexploit
Exploit for Deserialization of Untrusted Data in Apache Kafka Connect
2023-02-09 10:49:46
Exploit for Deserialization of Untrusted Data in Apache Kafka
2023-05-15 08:25:56
Exploit for Deserialization of Untrusted Data in Apache Kafka Connect
2023-12-28 04:24:02
packetstorm
packetstorm
Apache Druid JNDI Injection Remote Code Execution
2023-06-27 00:00:00
rapid7blog
rapid7blog
Metasploit Weekly Wrap-Up
2023-06-30 18:47:37
cbl_mariner
cbl_mariner
CVE-2022-39353 affecting package python-tensorboard for versions less than 2.16.2-1
2024-05-17 21:38:35
mageia
mageia
Updated nodejs-qs packages fix security vulnerability
2023-02-21 00:25:36
Updated apache-commons-fileupload packages fix security vulnerability
2023-02-27 23:27:16
vaadin
vaadin
Apache Commons FileUpload - DoS with excessive parts
2023-06-22 00:00:00
cgr
cgr
CVE-2023-24998 vulnerabilities
2024-05-19 03:07:16
tomcat
tomcat
Fixed in Apache Tomcat 10.1.5
2023-01-13 00:00:00
Fixed in Apache Tomcat 8.5.85
2023-01-19 00:00:00
f5
f5
K000133052 : Apache Commons FileUpload vulnerability CVE-2023-24998
2023-03-18 00:00:00
kaspersky
kaspersky
KLA40220 DoS vulnerability in Apache Tomcat
2023-01-19 00:00:00
KLA40221 DoS vulnerability in Apache Tomcat
2023-01-13 00:00:00

0.967 High

EPSS

Percentile

99.7%

JSON
Related for 3C1FBA4D42604EAAC7D779A8FF0E91C3C77356E4B9960B4C6BF9711C6D103BC3
cve4cvelist5prion5ibm102osv8debian2nessus18ubuntucve4openvas12veracode5debiancve3redhatcve4cnvd2nuclei1atlassian1github4zdt1githubexploit6packetstorm1rapid7blog1cbl_mariner1mageia2vaadin1cgr1tomcat2f51kaspersky2