Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM50F054E398D9C2FEC6804DE8873031657002656851BE150871B2800BAA7C2644
HistoryOct 18, 2022 - 2:58 p.m.

Security Bulletin: Multiple security vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak

2022-10-1814:58:51
www.ibm.com
13

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.04 Low

EPSS

Percentile

92.0%

JSON

Summary

Python is used by IBM Robotic Process Automation as part of the NLP command implementation and part of the base container image for Antivirus and OCR services.

Vulnerability Details

CVEID:CVE-2021-4189
**DESCRIPTION:**Python could allow a remote attacker to obtain sensitive information, caused by a flaw when using the FTP client library in PASV (passive) mode. By using a specially-crafted FTP server, an attacker could exploit this vulnerability to obtain service banner information from private network., and use this information to launch further attacks against the affected system.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/227269 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID:CVE-2021-3177
**DESCRIPTION:**Python is vulnerable to a buffer overflow, caused by improper bounds checking by the PyCArg_repr function in _ctypes/callproc.c. By sending specially-crafted arguments to c_double.from_param, a remote attacker could overflow a buffer and execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/195244 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2020-27619
**DESCRIPTION:**An unspecified error with CJK codec tests call eval() on content retrieved throug HTTP in multibytecodec_support.py in Python has an unknown impact and attack vector.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/190408 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2020-26116
**DESCRIPTION:**Python is vulnerable to CRLF injection, caused by improper validation of user-supplied input in http.client. By inserting CR and LF control characters in the first argument of HTTPConnection.request, a remote attacker could exploit this vulnerability to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/189404 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

CVEID:CVE-2020-15523
**DESCRIPTION:**Python could allow a remote attacker to execute arbitrary code on the system, caused by an invalid search path flaw for python3.dll loading. By persuading a victim to open a specially-crafted file, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 7.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/184610 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

CVEID:CVE-2020-8492
**DESCRIPTION:**Python is vulnerable to a denial of service, caused by a flaw in the urllib.request.AbstractBasicAuthHandler. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a Regular Expression Denial of Service (ReDoS).
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/175462 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2019-18348
**DESCRIPTION:**Python is vulnerable to HTTP header injection, caused by improper validation of input in the urllib2. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to inject arbitrary HTTP headers, which will allow the attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/169989 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)

CVEID:CVE-2019-16935
**DESCRIPTION:**Python is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the python/Lib/DocXMLRPCServer.py. A remote attacker could exploit this vulnerability using the server_title field to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/168612 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID:CVE-2019-9636
**DESCRIPTION:**Python urllib.parse.urlsplit and urllib.parse.urlparse components could allow a remote attacker to obtain sensitive information, caused by improper unicode encoding handling in NFKC normalization. By using a specially-crafted URL, an attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/158114 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2019-9740
**DESCRIPTION:**Python is vulnerable to HTTP header injection, caused by improper validation of input in the urllib2. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to inject arbitrary HTTP headers, which will allow the attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/158138 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID:CVE-2019-9947
**DESCRIPTION:**Python is vulnerable to HTTP header injection, caused by improper validation of input in urllib and urllib2. By persuading a victim to visit a specially-crafted Web page, a remote attacker could exploit this vulnerability to inject arbitrary HTTP headers, which will allow the attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/158830 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID:CVE-2018-20852
**DESCRIPTION:**Python could allow a remote attacker to obtain sensitive information, caused by the failure to correctly validate the domain by http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py. By using a server with a hostname that has another valid hostname as a suffix, an attacker could exploit this vulnerability to obtain leaked existing cookies.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/169515 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID:CVE-2018-20406
**DESCRIPTION:**Python is vulnerable to a denial of service, caused by an integer overflow in the Modules/_pickle.c. By using a large LONG_BINPUT value, a remote attacker could exploit this vulnerability to exhaust all available memory resources.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/154751 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2022-26488
**DESCRIPTION:**Python could allow a local authenticated attacker to gain elevated privileges on the system, caused by an issue when the search path is inadequately secured. By sending a specially-crafted request to add user-writable directories to the system search path, an authenticated attacker could exploit this vulnerability to gain elevated privileges.
CVSS Base score: 7.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/221120 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Robotic Process Automation for Cloud Pak < 21.0.5

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now.

Product(s) **Version(s) number and/or range ** Remediation/Fix/Instructions
IBM Robotic Process Automation for Cloud Pak < 21.0.5 Update to 21.0.5 using the following instructions.

Workarounds and Mitigations

None.

Related

cloudlinux 2
amazon 13
openvas 41
osv 12
veracode 1
nessus 70
fedora 13
debian 5
ubuntu 9
suse 3
cloudfoundry 5
gentoo 2
prion 2
debiancve 2
ubuntucve 2
cve 2
archlinux 1
alpinelinux 1
almalinux 1
redhat 3
oraclelinux 3
freebsd 2
ibm 1
redhatcve 1
mageia 1
centos 1
cloudlinux
cloudlinux
Fix of CVE: CVE-2020-26116, CVE-2020-8492, CVE-2018-20852, CVE-2020-27619
2021-10-05 14:07:59
Fix of CVE: CVE-2018-20852, CVE-2020-8492, CVE-2020-26116, CVE-2020-27619
2021-09-23 12:55:16
amazon
amazon
Medium: python27
2020-05-22 20:58:00
Medium: python27
2019-06-25 21:32:00
Important: python36
2019-05-29 19:20:00
openvas
openvas
Debian: Security Advisory (DLA-2280-1)
2020-07-17 00:00:00
Fedora Update for python3 FEDORA-2019-1ffd6b6064
2019-05-17 00:00:00
Ubuntu: Security Advisory (USN-4127-2)
2022-08-26 00:00:00
osv
osv
python3.5 - security update
2020-07-15 00:00:00
CVE-2019-18348
2019-10-23 17:15:12
CVE-2019-18348: CRLF injection via the host part of the url passed to urlopen()
2019-10-23 16:31:22
veracode
veracode
CRLF Injection
2020-08-06 21:34:27
nessus
nessus
Amazon Linux AMI : python27, python34, python35, python36 (ALAS-2020-1407)
2020-07-30 00:00:00
Fedora 30 : python3 (2019-1ffd6b6064)
2019-05-17 00:00:00
Debian DLA-2280-1 : python3.5 security update
2020-07-16 00:00:00
fedora
fedora
[SECURITY] Fedora 30 Update: python3-3.7.3-3.fc30
2019-05-17 01:08:18
[SECURITY] Fedora 31 Update: python35-3.5.8-2.fc31
2019-11-11 01:06:32
[SECURITY] Fedora 30 Update: python35-3.5.8-2.fc30
2019-11-09 22:40:00
debian
debian
[SECURITY] [DLA 2280-1] python3.5 security update
2020-07-15 10:00:36
[SECURITY] [DLA 1835-1] python3.4 security update
2019-06-25 03:40:34
[SECURITY] [DLA 1835-2] python3.4 regression update
2019-06-25 15:04:12
ubuntu
ubuntu
Python vulnerabilities
2019-09-10 00:00:00
Python vulnerabilities
2019-09-09 00:00:00
Python vulnerabilities
2020-04-21 00:00:00
suse
suse
Security update for python3 (important)
2020-12-26 00:00:00
Security update for python3 (important)
2020-12-26 00:00:00
Security update for python (moderate)
2019-10-27 00:00:00
cloudfoundry
cloudfoundry
USN-4127-1: Python vulnerabilities | Cloud Foundry
2019-09-30 00:00:00
USN-4333-1: Python vulnerabilities | Cloud Foundry
2020-05-14 00:00:00
USN-4754-4: Python 2.7 vulnerability | Cloud Foundry
2021-03-22 00:00:00
gentoo
gentoo
Python: Multiple vulnerabilities
2020-03-15 00:00:00
Python: Multiple vulnerabilities
2021-01-24 00:00:00
prion
prion
Path traversal
2019-10-23 17:15:00
Crlf injection
2019-03-23 18:29:00
debiancve
debiancve
CVE-2019-18348
2019-10-23 17:15:00
CVE-2019-9947
2019-03-23 18:29:00
ubuntucve
ubuntucve
CVE-2019-18348
2019-10-23 00:00:00
CVE-2019-9947
2019-03-23 00:00:00
cve
cve
CVE-2019-18348
2019-10-23 17:15:00
CVE-2019-9947
2019-03-23 18:29:00
archlinux
archlinux
[ASA-202103-27] python2: multiple issues
2021-03-25 00:00:00
alpinelinux
alpinelinux
CVE-2019-18348
2019-10-23 17:15:00
almalinux
almalinux
Moderate: python3 security update
2021-05-18 05:42:46
redhat
redhat
(RHSA-2021:1633) Moderate: python3 security update
2021-05-18 05:42:46
(RHSA-2020:4285) Moderate: rh-python36 security, bug fix, and enhancement update
2020-10-19 17:43:31
(RHSA-2020:3888) Moderate: python3 security update
2020-09-29 07:40:56
oraclelinux
oraclelinux
python3 security update
2021-05-25 00:00:00
python3 security update
2020-10-06 00:00:00
python security update
2020-10-06 00:00:00
freebsd
freebsd
Python -- multiple vulnerabilities
2019-10-24 00:00:00
Python -- multiple vulnerabilities
2020-08-19 00:00:00
ibm
ibm
Security Bulletin: Streams service for IBM Cloud Pak for Data might be affected by some underlying Python vulnerabilities
2021-06-16 19:01:03
redhatcve
redhatcve
CVE-2019-9947
2020-04-09 10:53:01
mageia
mageia
Updated python packages fix security vulnerabilities
2019-11-08 02:36:48
centos
centos
python3 security update
2020-10-20 18:48:39

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.04 Low

EPSS

Percentile

92.0%

JSON
Related for 50F054E398D9C2FEC6804DE8873031657002656851BE150871B2800BAA7C2644
cloudlinux2amazon13openvas41osv12veracode1nessus70fedora13debian5ubuntu9suse3cloudfoundry5gentoo2prion2debiancve2ubuntucve2cve2archlinux1alpinelinux1almalinux1redhat3oraclelinux3freebsd2ibm1redhatcve1mageia1centos1