IBM6061B83194C2EA867046D3E7BC1AF461BCCE88984385D7BD7A335DC866DC1821Security Bulletin: IBM Cloud Pak for Data Scheduling is vulnerable to directory traversal due to golang compiler ( CVE-2023-45283,CVE-2023-45284, CVE-2023-45285 )
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.1 High
AI Score
Confidence
Low
0.001 Low
EPSS
Percentile
41.3%
Summary
Golang compiler is used by IBM Cloud Pak for Data Scheduling to create the scheduler binaries. < CVE-2023-45283, CVE-2023-45284, CVE-2023-45285 >
Vulnerability Details
CVEID:CVE-2023-45283
**DESCRIPTION:**Golang Go could allow a remote attacker to traverse directories on the system, caused by the failure to recognize paths with a ??\ prefix as a Root Local Device path prefix in the filepath and safefilepath package. An attacker could send a specially crafted URL request containing โdot dotโ sequences (/โฆ/) to view arbitrary files on the system.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/270990 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID:CVE-2023-45284
**DESCRIPTION:**Golang Go could provide weaker than expected security, caused by the failure to correctly detect reserved device names in some cases by the IsLocal function in the filepath package. An attacker could exploit this vulnerability to report โCOM1โ, and reserved names โCOMโ and โLPTโ followed by superscript 1, 2, or 3 as local.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/270989 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVEID:CVE-2023-45285
**DESCRIPTION:**Golang Go could allow a remote attacker to obtain sensitive information, caused by a flaw when using go get to fetch a module with the โ.gitโ suffix. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information from the insecure โgit://โ protocol, and use this information to launch further attacks against the affected system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/273323 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
Affected Products and Versions
Affected Product(s)|**Version(s)
**
โ|โ
IBM Cloud Pak for Data Scheduling| 4.6.4 - 4.8.2
Remediation/Fixes
IBM recommends addressing the vulnerability now.
| Product(s) | **Version(s) number and/or range ** | Remediation/Fix/Instructions |
|---|---|---|
| IBM Cloud Pak for Data Scheduling | 4.6.4 - 4.8.2 | Follow the instructions to upgrade. |
Note: IBM Cloud Pak for Data Scheduling are bundled with IBM Cloud Pak for Data to provide advanced scheduling features
Workarounds and Mitigations
Workarounds/Mitigation guidance:
None
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| ibm cloud pak for data | eq | 4.8.4 |
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.1 High
AI Score
Confidence
Low
0.001 Low
EPSS
Percentile
41.3%