IBM5C7D23D95F2F3D8FBEEDA30D8E4A5FF3874F3D2B4E94BD9FAA31BC7884EE0A74Security Bulletin: Denial of service and security restrictions bypass might affect IBM Storage Defender – Resiliency Service
5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
7.8 High
AI Score
Confidence
High
Summary
IBM Storage Defender – Resiliency Service is vulnerable and can result in data confidentiality and service availabilty issues. The vulnerabilities have been addressed. CVE-2024-27351, CVE-2024-34064, CVE-2024-32879, CVE-2024-24786.
Vulnerability Details
CVEID:CVE-2024-24786
**DESCRIPTION:**Protocol Buffers protobuf-go is vulnerable to a denial of service, caused by an infinite loop flaw in the rotojson.Unmarshal function when unmarshaling certain forms of invalid JSON. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/285337 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2024-32879
**DESCRIPTION:**Python Social Auth Django could allow a remote authenticated attacker to bypass security restrictions, caused by improper handling of case sensitivity. By sending a specially crafted request using third-party authentication user IDs, an attacker could exploit this vulnerability to match up with different IDs.
CVSS Base score: 4.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/289482 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N)
CVEID:CVE-2024-34064
**DESCRIPTION:**Jinja is vulnerable to cross-site scripting, caused by the acceptance of keys containing non-attribute characters by the xmlattr filter. A remote attacker could exploit this vulnerability to inject other attributes into a Web page which would be executed in a victims Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/290008 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
CVEID:CVE-2024-27351
**DESCRIPTION:**Django is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in the django.utils.text.Truncator.words() function. By sending a specially crafted regex input, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/284701 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM Storage Defender - Resiliency Service | All |
Remediation/Fixes
The Connection Manager included with Defender 2.0.5 and newer provides the fixes. If using a version of the Connection Manager obtained from Defender 2.0.0 - 2.0.4 IBM strongly recommends upgrading. Instructions for upgrading can be found here.
Workarounds and Mitigations
None
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| ibm storage defender | eq | 2.0.5 |
Related
5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
7.8 High
AI Score
Confidence
High