Lucene search

K
ibmIBM6D6FF40346DB8002217D4BAB512A094A5DC600C7A95E9FDA025E80972DC678CE
HistoryDec 02, 2021 - 6:18 p.m.

Security Bulletin: Vulnerabilities in Node.js affect IBM Integration Bus v10 (CVE-2021-37713)

2021-12-0218:18:20
www.ibm.com
7

8.6 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

4.4 Medium

CVSS2

Access Vector

LOCAL

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:M/Au:N/C:P/I:P/A:P

0.001 Low

EPSS

Percentile

23.6%

Summary

IBM Integration Bus ships with Node.js for which vulnerabilities were reported and have been addressed. Vulnerability details are listed below.

Vulnerability Details

CVEID:CVE-2021-37713
**DESCRIPTION:**Node.js tar module could allow a local attacker to execute arbitrary code on the system, caused by insufficient logic on Windows systems when extracting tar files that contained a path that was not an absolute path, but specified a drive letter different from the extraction target. An attacker could exploit this vulnerability to create or overwrite arbitrary files and execute arbitrary code on the system.
CVSS Base score: 8.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/208451 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N)

Affected Products and Versions

IBM Integration Bus V10 , V10.0.0.0 - V10.0.0.24 ( Linux on Intel x86-64 and Windows 64-bit only)

Remediation/Fixes

Product

|

VRMF

| APAR|

Remediation / Fix

—|—|—|—
IBM Integration Bus
| V10.0.0.0-V10.0.0.24| IT38593| Interim fix for APAR (IT38593) is available from

IBM Fix Central

Workarounds and Mitigations

None

8.6 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

4.4 Medium

CVSS2

Access Vector

LOCAL

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:M/Au:N/C:P/I:P/A:P

0.001 Low

EPSS

Percentile

23.6%

Related for 6D6FF40346DB8002217D4BAB512A094A5DC600C7A95E9FDA025E80972DC678CE