Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM3DD81BAD784F59BB9BF823B92CEB58BE36823EB8A478E3D24C5A8417A3D90A2F
HistoryJul 18, 2023 - 6:05 a.m.

Security Bulletin: IBM Security Verify Governance has multiple vulnerabilities (CVE-2022-41946, CVE-2022-46364, CVE-2023-24998)

2023-07-1806:05:30
www.ibm.com
21
ibm security verify governance
postgresql jdbc
apache cxf
apache commons fileupload
tomcat

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.042

Percentile

92.2%

JSON

Summary

Multiple security vulnerabilities in the components used by IBM Security Verify Governance have been addressed.

Vulnerability Details

CVEID:CVE-2022-41946
**DESCRIPTION:**Postgresql JDBC could allow a local authenticated attacker to obtain sensitive information, caused by not limit access to created readable files in the TemporaryFolder. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CVSS Base score: 6.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/240853 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N)

CVEID:CVE-2022-46364
**DESCRIPTION:**Apache CXF is vulnerable to server-side request forgery, caused by a flaw in parsing the href attribute of XOP:Include in MTOM requests. By using a specially-crafted request, an attacker could exploit this vulnerability to conduct SSRF attack.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/242008 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2023-24998
**DESCRIPTION:**Apache Commons FileUpload and Tomcat are vulnerable to a denial of service, caused by not limit the number of request parts to be processed in the file upload function. By sending a specially-crafted request with series of uploads, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/247895 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Security Verify Governance 10.0

Remediation/Fixes

IBM encourages customers to update their systems promptly.

Affected Product|Version|**Fix Availability
**
—|—|—
IBM Security Verify Governance| 10.0.1|

10.0.1.0-ISS-ISVG-IGVA-FP0005

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmsecurity_verify_governanceMatch10.0

Related

ibm 95
osv 10
cve 3
redhatcve 2
redhat 7
cvelist 3
prion 2
veracode 3
github 1
oraclelinux 2
nessus 32
ubuntucve 2
openvas 15
almalinux 2
atlassian 1
alpinelinux 1
fedora 1
cnvd 2
debiancve 2
debian 1
nvd 3
broadcom 1
cgr 1
vaadin 1
tomcat 2
kaspersky 2
redos 1
mageia 1
ibm
ibm
Security Bulletin: Vulnerabilities in Java and IBM WebSphere Application Server Liberty affects IBM Cloud Application Business Insights - CVE-2022-41946 & CVE-2023-24998
2023-05-18 10:19:23
Security Bulletin: Apache CXF is vulnerable to CVE-2022-46364 used in IBM Maximo Application Suite - Monitor Component
2023-05-09 18:17:20
Security Bulletin: IBM WebSphere Application Server Liberty for IBM i is vulnerable to a server-side request forgery, a denial of service, an attacker obtaining sensitive information, and gaining elevated privileges due to multiple vulnerabilities.
2023-05-01 14:52:39
osv
osv
CVE-2022-46364
2022-12-13 17:15:17
Apache CXF Server-Side Request Forgery vulnerability
2022-12-13 18:30:26
libpgjava - security update
2022-12-03 00:00:00
cve
cve
CVE-2022-46364
2022-12-13 17:15:17
CVE-2022-41946
2022-11-23 20:15:10
CVE-2023-24998
2023-02-20 16:15:10
redhatcve
redhatcve
CVE-2022-46364
2022-12-21 22:01:38
CVE-2022-41946
2022-12-14 14:35:37
redhat
redhat
(RHSA-2023:0163) Important: Red Hat JBoss Enterprise Application Platform 7.4 security update
2023-01-12 20:48:45
(RHSA-2023:0759) Moderate: Red Hat Virtualization security and bug fix update
2023-02-14 13:05:12
(RHSA-2023:2867) Moderate: postgresql-jdbc security update
2023-05-16 05:56:48
cvelist
cvelist
CVE-2022-46364 Apache CXF SSRF Vulnerability
2022-12-13 16:20:26
CVE-2022-41946 TemporaryFolder on unix-like systems does not limit access to created files in pgjdbc
2022-11-23 00:00:00
CVE-2023-24998 Apache Commons FileUpload, Apache Tomcat: FileUpload DoS with excessive parts
2023-02-20 15:57:07
prion
prion
Server side request forgery (ssrf)
2022-12-13 17:15:00
Information disclosure
2022-11-23 20:15:00
veracode
veracode
Server-side Request Forgery (SSRF)
2022-12-14 02:50:22
Information Disclosure
2022-11-24 07:01:27
Denial Of Service (DoS)
2023-02-24 11:02:57
github
github
Apache CXF Server-Side Request Forgery vulnerability
2022-12-13 18:30:26
oraclelinux
oraclelinux
postgresql-jdbc security update
2023-05-15 00:00:00
postgresql-jdbc security update
2023-05-24 00:00:00
nessus
nessus
RHEL 8 : Red Hat Virtualization (RHSA-2023:0759)
2024-04-28 00:00:00
RHEL 9 : postgresql-jdbc (RHSA-2023:2378)
2023-05-12 00:00:00
Oracle Linux 9 : postgresql-jdbc (ELSA-2023-2378)
2023-05-15 00:00:00
ubuntucve
ubuntucve
CVE-2022-41946
2022-11-23 00:00:00
CVE-2023-24998
2023-02-20 00:00:00
openvas
openvas
SUSE: Security Advisory (SUSE-SU-2023:0103-1)
2023-01-20 00:00:00
SUSE: Security Advisory (SUSE-SU-2023:0104-1)
2023-01-20 00:00:00
openSUSE: Security Advisory for postgresql (SUSE-SU-2023:0103-1)
2024-03-04 00:00:00
almalinux
almalinux
Moderate: postgresql-jdbc security update
2023-05-09 00:00:00
Moderate: postgresql-jdbc security update
2023-05-16 00:00:00
atlassian
atlassian
Upgrade Postgres for CVE-2022-41946
2023-03-23 22:26:31
alpinelinux
alpinelinux
CVE-2022-41946
2022-11-23 20:15:10
fedora
fedora
[SECURITY] Fedora 37 Update: postgresql-jdbc-42.4.3-1.fc37
2023-01-13 01:32:00
cnvd
cnvd
PostgreSQL JDBC Drive Information Disclosure Vulnerability
2022-11-25 00:00:00
Apache Commons FileUpload Denial of Service Vulnerability (CNVD-2023-23552)
2023-02-22 00:00:00
debiancve
debiancve
CVE-2022-41946
2022-11-23 20:15:10
CVE-2023-24998
2023-02-20 16:15:10
debian
debian
[SECURITY] [DLA 3218-1] libpgjava security update
2022-12-02 23:18:17
nvd
nvd
CVE-2022-41946
2022-11-23 20:15:10
CVE-2022-46364
2022-12-13 17:15:17
CVE-2023-24998
2023-02-20 16:15:10
broadcom
broadcom
Vulnerable postgresql component found in SANnav RPM package
2023-08-29 00:00:00
cgr
cgr
CVE-2023-24998 vulnerabilities
2024-05-19 03:07:16
vaadin
vaadin
Apache Commons FileUpload - DoS with excessive parts
2023-06-22 00:00:00
tomcat
tomcat
Fixed in Apache Tomcat 10.1.5
2023-01-13 00:00:00
Fixed in Apache Tomcat 9.0.71
2023-01-13 00:00:00
kaspersky
kaspersky
KLA40221 DoS vulnerability in Apache Tomcat
2023-01-13 00:00:00
KLA40220 DoS vulnerability in Apache Tomcat
2023-01-19 00:00:00
redos
redos
ROS-20240815-15
2024-08-15 00:00:00
mageia
mageia
Updated apache-commons-fileupload packages fix security vulnerability
2023-02-27 23:27:16

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.042

Percentile

92.2%

JSON
Related for 3DD81BAD784F59BB9BF823B92CEB58BE36823EB8A478E3D24C5A8417A3D90A2F
ibm95osv10cve3redhatcve2redhat7cvelist3prion2veracode3github1oraclelinux2nessus32ubuntucve2openvas15almalinux2atlassian1alpinelinux1fedora1cnvd2debiancve2debian1nvd3broadcom1cgr1vaadin1tomcat2kaspersky2redos1mageia1