7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.001 Low
EPSS
Percentile
49.9%
Node.js is used as a runtime engine by IBM App Connect Enterprise Certified Container. If an IBM App Connect Enterprise Certified Container image is extended to run custom Node.js applications, it may be vulnerable to security restriction bypasss. This bulletin provides patch information to address the reported vulnerability in Node.js. [CVE-2023-23918]
CVEID:CVE-2023-23918
**DESCRIPTION:**Node.js could allow a remote authenticated attacker to bypass security restrictions, caused by a flaw when enable the experimental permissions option with --experimental-policy. By sending a specially-crafted request using process.mainModule.require(), an attacker could exploit this vulnerability to bypass Permissions and access non authorized modules.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/247698 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N)
Affected Product(s) | Version(s) |
---|---|
App Connect Enterprise Certified Container | 4.1 |
App Connect Enterprise Certified Container | 4.2 |
App Connect Enterprise Certified Container | 5.0-lts |
App Connect Enterprise Certified Container | 5.1 |
App Connect Enterprise Certified Container | 5.2 |
App Connect Enterprise Certified Container | 6.0 |
App Connect Enterprise Certified Container | 6.1 |
App Connect Enterprise Certified Container | 6.2 |
App Connect Enterprise Certified Container | 7.0 |
App Connect Enterprise Certified Container | 7.1 |
App Connect Enterprise Certified Container | 7.2 |
App Connect Enterprise Certified Container | 8.0 |
IBM strongly suggests the following:
App Connect Enterprise Certified Container 4.1.x to 8.0.x (Continuous Delivery)
Upgrade to App Connect Enterprise Certified Container Operator version 8.1.0 or higher, and ensure that all components are at 12.0.8.0-r1 or higher. Documentation on the upgrade process is available at <https://www.ibm.com/docs/en/app-connect/containers_cd?topic=releases-upgrading-operator>
App Connect Enterprise Certified Container 5.0 LTS (Long Term Support)
Upgrade to App Connect Enterprise Certified Container Operator version 5.0.6 or higher, and ensure that all components are at 12.0.8.0-r1-lts or higher. Documentation on the upgrade process is available at <https://www.ibm.com/docs/en/app-connect-contlts?topic=releases-upgrading-operator>
None
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.001 Low
EPSS
Percentile
49.9%