Lucene search

IBM5162AF6FA786227C2B8195BBD60C94F1A4CF6450CE1D61A935DEFA57BB17554A

HistoryJul 31, 2024 - 10:23 p.m.

Security Bulletin: Vulnerability in tough-cookie affect Cloud Pak System

2024-07-3122:23:40

www.ibm.com

cloud pak system

tough-cookie

vulnerability

remote code execution

upgrade

ibm

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

7.4

Confidence

Low

EPSS

0.002

Percentile

51.3%

JSON

Summary

Vulnerability found in tough-cookie affect Cloud Pak System[CVE-2023-26136]

Vulnerability Details

CVEID:CVE-2023-26136
**DESCRIPTION:**Salesforce tough-cookie could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution flaw due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. By adding or modifying properties of Object.prototype using a proto or constructor payload, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/259555 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

Affected Products and Versions

Remediation/Fixes

For unsupported versions the recommendation is to upgrade to supported version of the product.

This security bulletin applies to Cloud Pak System, Cloud Pak System Software, Cloud Pak System Software Suite.

IBM strongly recommends addressing the vulnerability now by applying the fix below.

For IBM Cloud Pak System v2.3.1.1, v.2.3.2.0 for Power

upgrade to IBM Cloud Pak System v2.3.3.7, apply Cloud Pak System v2.3.3.7 Interim Fix 1 at Fix Central.

Information on upgrading to Cloud Pak System v2.3.3.7 available at <https://www.ibm.com/support/pages/node/6982511>

For IBM Cloud Pak System v2.3.3.7 for Power

upgrade to Cloud Pak System v2.3.3.7 Interim Fix 1 at Fix Central.

Information on upgrading available at <https://www.ibm.com/support/pages/node/7045078>

For Cloud Pak System on intel

Upgrade to Cloud Pak System v2.3.4.0 at Fix Central

Information on upgrading here <http://www.ibm.com/support/docview.wss?uid=ibm10887959>

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmcloud_pak_systemMatch2.3

VendorProductVersionCPE
ibmcloud_pak_system2.3cpe:2.3:a:ibm:cloud_pak_system:2.3:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	cloud_pak_system	2.3	cpe:2.3:a:ibm:cloud_pak_system:2.3:::::::*

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

7.4

Confidence

Low

EPSS

0.002

Percentile

51.3%

JSON

Related for 5162AF6FA786227C2B8195BBD60C94F1A4CF6450CE1D61A935DEFA57BB17554A