CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
Low
EPSS
Percentile
51.3%
Vulnerability found in tough-cookie affect Cloud Pak System[CVE-2023-26136]
CVEID:CVE-2023-26136
**DESCRIPTION:**Salesforce tough-cookie could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution flaw due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. By adding or modifying properties of Object.prototype using a proto or constructor payload, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/259555 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
Affected Product(s)|**Version(s) (Power)
**
โ|โ
IBM Cloud Pak System| 2.3.1.1., 2.3.2.0
IBM Cloud Pak System| 2.3.3.7
Affected Product(s)|**Version(s) (intel)
**
IBM Cloud Pak Systemn| 2.3.3.0
IBM Cloud Pak Systemn| 2.3.3.3 iFIx1
IBM Cloud Pak Systemn| 2.3.3.4
IBM Cloud Pak Systemn| 2.3.3.5,
IBM Cloud Pak Systemn| 2.3.3.6, 2.3.3.3.6 iFix1, 2.3.3.6 iFix2
For unsupported versions the recommendation is to upgrade to supported version of the product.
This security bulletin applies to Cloud Pak System, Cloud Pak System Software, Cloud Pak System Software Suite.
IBM strongly recommends addressing the vulnerability now by applying the fix below.
For IBM Cloud Pak System v2.3.1.1, v.2.3.2.0 for Power
upgrade to IBM Cloud Pak System v2.3.3.7, apply Cloud Pak System v2.3.3.7 Interim Fix 1 at Fix Central.
Information on upgrading to Cloud Pak System v2.3.3.7 available at <https://www.ibm.com/support/pages/node/6982511>
For IBM Cloud Pak System v2.3.3.7 for Power
upgrade to Cloud Pak System v2.3.3.7 Interim Fix 1 at Fix Central.
Information on upgrading available at <https://www.ibm.com/support/pages/node/7045078>
For Cloud Pak System on intel
Upgrade to Cloud Pak System v2.3.4.0 at Fix Central
Information on upgrading here <http://www.ibm.com/support/docview.wss?uid=ibm10887959>
None
Vendor | Product | Version | CPE |
---|---|---|---|
ibm | cloud_pak_system | 2.3 | cpe:2.3:a:ibm:cloud_pak_system:2.3:*:*:*:*:*:*:* |
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
Low
EPSS
Percentile
51.3%