Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM5E8AA70CB8B57AC5EFBC54AA401E7BF261CE1B905CF3B82BCDCCA6A85AA8292F
HistoryJan 09, 2023 - 6:12 p.m.

Security Bulletin: Multiple vulnerabilities present in IBM Answer Retrieval for Watson Discovery versions 2.9 and earlier

2023-01-0918:12:56
www.ibm.com
13

0.005 Low

EPSS

Percentile

76.3%

JSON

Summary

This fix upgrades to socket.io 4.5.4, protobuf-java 3.21.9 and nodejs 14.21.1.

Vulnerability Details

CVEID:CVE-2022-41940
**DESCRIPTION:**Socket.IO Engine.IO is vulnerable to a denial of service, caused by an uncaught exception flaw. By sending a specially-crafted HTTP request, a remote authenticated attacker could exploit this vulnerability to cause the Node.js process to crash, and results in a denial of service condition.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/240852 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2022-3510
**DESCRIPTION:**protobuf-java core and lite are vulnerable to a denial of service, caused by a flaw in the parsing procedure for Message-Type Extensions. By sending non-repeated embedded messages with repeated or unknown fields, a remote authenticated attacker could exploit this vulnerability to cause long garbage collection pauses.
CVSS Base score: 5.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/239916 for the current score.
CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2022-43548
**DESCRIPTION:**Node.js could allow a remote attacker to execute arbitrary code on the system. The rebinding protector for --inspect still allows invalid IP address, specifically, the octal format. By combining with an active --inspect session, an attacker could exploit this vulnerability to perform DNS rebinding and execute arbitrary code on the system.
CVSS Base score: 5.6
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/241552 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID:CVE-2022-2421
**DESCRIPTION:**Node.js socket.io module is vulnerable to SQL injection, caused by improper type validation in the socket.io-parser library. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to overwrite the _placeholder object which allows an attacker to place references to functions at arbitrary places in the resulting query object.
CVSS Base score: 10
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/239554 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

CVEID:CVE-2022-3509
**DESCRIPTION:**protobuf-java core and lite are vulnerable to a denial of service, caused by a flaw in the parsing procedure for textformat data. By sending non-repeated embedded messages with repeated or unknown fields, a remote authenticated attacker could exploit this vulnerability to cause long garbage collection pauses.
CVSS Base score: 5.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/239915 for the current score.
CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
ICP - IBM Answer Retrieval for Watson Discovery All
ICP - IBM Answer Retrieval for Watson Discovery All
ICP - IBM Answer Retrieval for Watson Discovery All
ICP - IBM Answer Retrieval for Watson Discovery All
ICP - IBM Answer Retrieval for Watson Discovery All

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now.

Product(s) **Version(s) number and/or range ** Remediation/Fix/Instructions
IBM Answer Retrieval for Watson Discovery < 2.10.0 Download and install v2.10.0
Follow instructions in the downloaded package.

Workarounds and Mitigations

N/A

Related

ibm 51
gentoo 1
nessus 34
redhat 10
veracode 5
cvelist 5
osv 20
cve 5
redhatcve 4
prion 5
github 4
cnvd 2
openvas 15
hackerone 1
altlinux 1
cbl_mariner 2
mageia 1
cgr 2
wolfi 2
oraclelinux 4
rocky 5
almalinux 5
f5 1
alpinelinux 1
debiancve 3
ubuntucve 4
atlassian 2
nodejsblog 1
debian 1
photon 2
ibm
ibm
Security Bulletin: IBM MQ Blockchain bridge is vulnerable to multiple issues within protobuf-java-core (CVE-2022-3510, CVE-2022-3509)
2023-03-01 16:33:38
Security Bulletin: Multiple Vulnerabilities in Google Protocol Buffer affect IBM Operations Analytics - Log Analysis (CVE-2022-3509, CVE-2022-3510)
2023-04-03 07:43:39
Security Bulletin: protobuf-java component is vulnerable to CVE-2022-3510 and CVE-2022-3509 is used by IBM Maximo Application Suite
2023-08-08 21:17:27
gentoo
gentoo
protobuf-java: Denial of Service
2023-01-11 00:00:00
nessus
nessus
GLSA-202301-09 : protobuf-java: Denial of Service
2023-01-11 00:00:00
Oracle MySQL Cluster (Apr 2023 CPU)
2023-04-20 00:00:00
RHEL 8 : nodejs:18 (RHSA-2022:8833)
2022-12-07 00:00:00
redhat
redhat
(RHSA-2023:1855) Moderate: Red Hat JBoss EAP 7.4.10 XP 4.0.0.GA security release
2023-04-18 18:57:50
(RHSA-2022:8833) Moderate: nodejs:18 security, bug fix, and enhancement update
2022-12-06 15:25:28
(RHSA-2022:8832) Moderate: nodejs:18 security, bug fix, and enhancement update
2022-12-06 15:25:25
veracode
veracode
Denial Of Service (DoS)
2022-11-23 08:32:44
Arbitrary Code Execution
2022-11-06 14:52:02
Denial Of Service (DoS)
2023-01-20 02:30:31
cvelist
cvelist
CVE-2022-41940 Uncaught exception in engine.io
2022-11-22 00:00:00
CVE-2022-2421 Socket.io - Improper type validation in attachment parsing
2022-10-25 00:00:00
CVE-2022-43548
2022-12-05 00:00:00
osv
osv
CVE-2022-41940
2022-11-22 01:15:37
Uncaught exception in engine.io
2022-11-21 23:55:41
Insufficient validation when decoding a Socket.IO packet
2022-10-26 12:00:28
cve
cve
CVE-2022-41940
2022-11-22 01:15:00
CVE-2022-2421
2022-10-26 10:15:00
CVE-2022-43548
2022-12-05 22:15:00
redhatcve
redhatcve
CVE-2022-41940
2022-11-22 19:56:41
CVE-2022-43548
2022-11-08 07:56:08
CVE-2022-3510
2023-04-03 19:43:10
prion
prion
Cross site scripting
2022-11-22 01:15:00
Input validation
2022-10-26 10:15:00
Command injection
2022-12-05 22:15:00
github
github
Uncaught exception in engine.io
2022-11-21 23:55:41
Insufficient validation when decoding a Socket.IO packet
2022-10-26 12:00:28
Protobuf Java vulnerable to Uncontrolled Resource Consumption
2022-12-12 15:30:33
cnvd
cnvd
Socketio Engine.IO Denial of Service Vulnerability
2022-11-24 00:00:00
IBM WebSphere Application Server Liberty Denial of Service Vulnerability
2022-11-30 00:00:00
openvas
openvas
SUSE: Security Advisory (SUSE-SU-2022:4254-1)
2022-11-29 00:00:00
SUSE: Security Advisory (SUSE-SU-2022:4255-1)
2022-11-29 00:00:00
SUSE: Security Advisory (SUSE-SU-2022:3967-1)
2022-11-15 00:00:00
hackerone
hackerone
Node.js: DNS rebinding in --inspect via invalid octal IP address
2022-09-23 19:28:01
altlinux
altlinux
Security fix for the ALT Linux 10 package node version 16.18.1-alt1
2023-03-18 00:00:00
cbl_mariner
cbl_mariner
CVE-2022-43548 affecting package nodejs 14.20.1-2
2022-12-27 17:55:50
CVE-2022-43548 affecting package nodejs for versions less than 16.18.1-2
2022-12-19 20:12:43
mageia
mageia
Updated nodejs packages fix security vulnerability
2022-11-13 05:25:20
cgr
cgr
CVE-2022-3510 vulnerabilities
2024-05-19 03:07:16
CVE-2022-3509 vulnerabilities
2024-05-19 03:07:16
wolfi
wolfi
CVE-2022-3510 vulnerabilities
2024-06-02 15:23:11
CVE-2022-3509 vulnerabilities
2024-06-02 15:23:11
oraclelinux
oraclelinux
nodejs:18 security, bug fix, and enhancement update
2022-12-09 00:00:00
nodejs:18 security, bug fix, and enhancement update
2022-12-08 00:00:00
nodejs and nodejs-nodemon security, bug fix, and enhancement update
2023-01-24 00:00:00
rocky
rocky
nodejs:18 security, bug fix, and enhancement update
2022-12-06 15:25:25
nodejs:18 security, bug fix, and enhancement update
2022-12-06 15:25:28
nodejs and nodejs-nodemon security, bug fix, and enhancement update
2023-01-23 14:30:11
almalinux
almalinux
Moderate: nodejs:18 security, bug fix, and enhancement update
2022-12-06 00:00:00
Moderate: nodejs:18 security, bug fix, and enhancement update
2022-12-06 00:00:00
Moderate: nodejs and nodejs-nodemon security, bug fix, and enhancement update
2023-01-23 00:00:00
f5
f5
K000133494 : Node.js vulnerability CVE-2022-43548
2023-04-12 00:00:00
alpinelinux
alpinelinux
CVE-2022-43548
2022-12-05 22:15:00
debiancve
debiancve
CVE-2022-43548
2022-12-05 22:15:00
CVE-2022-3510
2022-12-12 13:15:00
CVE-2022-3509
2022-12-12 13:15:00
ubuntucve
ubuntucve
CVE-2022-43548
2022-12-05 00:00:00
CVE-2022-3171
2022-10-12 00:00:00
CVE-2022-3510
2022-12-12 00:00:00
atlassian
atlassian
DoS (Denial of Service) com.google.protobuf:protobuf-java Dependency in Jira Software Data Center and Server
2024-02-14 10:46:12
com.google.protobuf:protobuf-java Vulnerability in Jira Service Management Data Center and Server
2023-10-09 01:44:49
nodejsblog
nodejsblog
Nov 3 2022 Security Releases
2022-11-01 00:00:00
debian
debian
[SECURITY] [DSA 5326-1] nodejs security update
2023-01-24 20:01:20
photon
photon
Critical Photon OS Security Update - PHSA-2023-5.0-0011
2023-05-24 00:00:00
Important Photon OS Security Update - PHSA-2022-3.0-0504
2022-12-17 00:00:00

0.005 Low

EPSS

Percentile

76.3%

JSON
Related for 5E8AA70CB8B57AC5EFBC54AA401E7BF261CE1B905CF3B82BCDCCA6A85AA8292F
ibm51gentoo1nessus34redhat10veracode5cvelist5osv20cve5redhatcve4prion5github4cnvd2openvas15hackerone1altlinux1cbl_mariner2mageia1cgr2wolfi2oraclelinux4rocky5almalinux5f51alpinelinux1debiancve3ubuntucve4atlassian2nodejsblog1debian1photon2