CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
72.9%
Formula injection is possible in an Excel report generated by the Resilient platform, when a field name or value begins with specific characters.
**CVEID:**CVE-2020-4633 DESCRIPTION: IBM Resilient could allow a remote attacker to execute arbitrary code on the system, caused by formula injection due to improper input validation.
CVSS Base score: 6.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/185418 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L)
Affected Product(s) | Version(s) |
---|---|
Resilient OnPrem | IBM Security SOAR |
A spreadsheet, such as Excel, is susceptible to a formula injection if a cell begins with one of these characters:
In most cases, Excel displays a warning when the files is opened, but users might ignore it since the report was generated from the platform.
As of Resilient platform V39, you can enable the reports.character_blocklist_enabled option. You can upgrade to this level of the platform by following instructions in the “Upgrade Procedure” section in the IBM Knowledge Center.
Once enabled, this parameter prevents the generation of the report if the data causes a cell to begin with one the characters, and it displays the following message:
Report Failed
An error occurred while generating your report.
To enable this option, use the following command:
sudo resutil configset -key reports.character_blocklist_enabled -bvalue true
To disable this option, use the following command:
sudo resutil configset -key reports.character_blocklist_enabled -bvalue false
To check whether or not this option is enabled, use this command:
sudo resutil configget -key reports.character_blocklist_enabled
If the value 1 is returned, the option is enabled. If the value 0 is returned, the option is not enabled.
None
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
72.9%