Lucene search

IBM3D8ED3F19F14A2F659EBD2B5D86396CA6A5E21211208D2596BB5AD2E5190ED52

HistoryJun 28, 2022 - 5:08 p.m.

Security Bulletin: Vulnerabilities in Node.js affect IBM App Connect Enterprise and IBM Integration Bus (CVE-2020-7774)

2022-06-2817:08:30

www.ibm.com

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.377 Low

EPSS

Percentile

97.2%

JSON

Summary

IBM App Connect Enterprise and IBM Integration Bus ship with Node.js for which vulnerabilities were reported and have been addressed. Vulnerability details are listed below.

Vulnerability Details

CVEID:CVE-2020-7774
**DESCRIPTION:**Node.js y18n module could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution flaw. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/191999 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

Affected Products and Versions

IBM App Connect Enterprise V11 , V11.0.0.0 - V11.0.0.13

IBM App Connect Enterprise V12 , V12.0.1.0

IBM Integration Bus v10, 10.0.0.0 - V10.0.0.25

Remediation/Fixes

Product

VRMF

| APAR|

Remediation / Fix

—|—|—|—
IBM App Connect Enterprise v11| V11.0.0.0-V11.0.0.13| IT37753|

The APAR is available in fix pack

11.0.0.14

IBM App Connect Enterprise V12| V12.0.1.0| IT37753|

Interim fix is available on

IBM Fix Central

IBM Integration Bus v10| 10.0.0.0 - V10.0.0.25| IT37753|

The APAR is available in fix pack

10.0.0.26

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm integration bus v10,eq10.0.0.0

CPE	Name	Operator	Version
	ibm integration bus v10,	eq	10.0.0.0

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.377 Low

EPSS

Percentile

97.2%

JSON

Related for 3D8ED3F19F14A2F659EBD2B5D86396CA6A5E21211208D2596BB5AD2E5190ED52