Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM74F535A8CF66E38D33F2349CEE26ACB06F03ED8BAAE826CA354CD7ABE0CC3923
HistoryJun 07, 2023 - 3:44 p.m.

Security Bulletin: Multiple vulnerabilities in golang affect IBM Db2® REST

2023-06-0715:44:22
www.ibm.com
12

0.002 Low

EPSS

Percentile

51.0%

JSON

Summary

IBM Db2® REST is affected by multiple vulnerabilities found in Golang. IBM has addressed the vulnerabilities.

Vulnerability Details

CVEID:CVE-2023-24540
**DESCRIPTION:**Go is vulnerable to HTML injection. A remote attacker could inject malicious HTML code into a template containing whitespace characters outside of the character set “\t\n\f\r\u0020\u2028\u2029”, which when viewed, would execute in the victim’s Web browser within the security context of the hosting site.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/256132 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2023-29400
**DESCRIPTION:**Go is vulnerable to HTML injection. A remote attacker could inject malicious HTML code into the templates, which when parsed, would execute in the victim’s Web browser within the security context of the hosting site.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/255427 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

CVEID:CVE-2023-24539
**DESCRIPTION:**Go is vulnerable to HTML injection. A remote attacker could inject malicious HTML code into a template containing multiple actions separated by a ‘/’ character, which when viewed, would execute in the victim’s Web browser within the security context of the hosting site.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/256136 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

Affected Products and Versions

All platforms of the following IBM® Db2® REST levels are affected:

Affected Product(s) Version(s)
Db2 Rest

1.0.0.121-amd64-1.0.0.268-amd64

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now by upgrading to the latest IBM® Db2® REST release containing the fix for these issues.

Product(s) Fixed in Version(s)
Db2 REST

1.0.0.276-amd64

latest-amd64

Follow the instructions below to download IBM Db2 REST from the IBM Cloud Container Registry.

<https://www.ibm.com/docs/en/db2/11.5?topic=endpoints-downloading-rest-service&gt;

Workarounds and Mitigations

None

CPENameOperatorVersion
db2 for linux, unix and windowseqany

Related

amazon 3
nessus 60
mageia 1
ibm 19
redhat 27
openvas 10
altlinux 1
photon 3
f5 1
freebsd 1
ubuntu 1
alpinelinux 3
cbl_mariner 8
osv 17
cgr 3
veracode 3
prion 3
redhatcve 3
wolfi 3
ubuntucve 3
cvelist 3
debiancve 3
cve 3
almalinux 8
oraclelinux 7
rocky 1
redos 1
amazon
amazon
Important: golang
2023-06-05 16:39:00
Important: golang
2023-05-25 17:41:00
Important: golang
2023-07-20 17:29:00
nessus
nessus
Amazon Linux AMI : golang (ALAS-2023-1760)
2023-06-09 00:00:00
EulerOS 2.0 SP9 : golang (EulerOS-SA-2023-2583)
2023-08-08 00:00:00
CentOS 9 : toolbox-0.0.99.4-5.el9
2024-04-26 00:00:00
mageia
mageia
Updated golang packages fix security vulnerability
2023-05-16 22:17:40
ibm
ibm
Security Bulletin: IBM Cloud Pak for Data Scheduling is vulnerable to multiple ansible-operator vulnerabilities
2024-02-20 19:45:04
Security Bulletin: IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by multiple vulnerabilities in Golang Go
2023-07-26 20:48:02
Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to Go [CVE-2023-24539 and CVE-2023-24540]
2023-06-29 17:28:53
redhat
redhat
(RHSA-2023:3415) Important: ACS 4.0 enhancement and security update
2023-05-31 19:31:02
(RHSA-2023:3323) Important: go-toolset-1.19 and go-toolset-1.19-golang security update
2023-05-25 12:17:40
(RHSA-2023:4459) Moderate: OpenShift Container Platform 4.13.8 packages and security update
2023-08-08 11:24:53
openvas
openvas
Huawei EulerOS: Security Advisory for golang (EulerOS-SA-2023-2613)
2023-08-08 00:00:00
Huawei EulerOS: Security Advisory for golang (EulerOS-SA-2023-2583)
2023-08-08 00:00:00
Mageia: Security Advisory (MGASA-2023-0169)
2023-05-17 00:00:00
altlinux
altlinux
Security fix for the ALT Linux 10 package golang version 1.19.9-alt1
2023-05-03 00:00:00
photon
photon
Critical Photon OS Security Update - PHSA-2023-4.0-0387
2023-05-05 00:00:00
Critical Photon OS Security Update - PHSA-2023-3.0-0575
2023-05-05 00:00:00
Critical Photon OS Security Update - PHSA-2023-5.0-0037
2023-06-23 00:00:00
f5
f5
K000138679 : GoLang vulnerabilities CVE-2023-24540, CVE-2023-29400, and CVE-2023-29403
2024-02-21 00:00:00
freebsd
freebsd
go -- multiple vulnerabilities
2023-04-27 00:00:00
ubuntu
ubuntu
Go vulnerabilities
2023-06-06 00:00:00
alpinelinux
alpinelinux
CVE-2023-29400
2023-05-11 16:15:09
CVE-2023-24540
2023-05-11 16:15:09
CVE-2023-24539
2023-05-11 16:15:09
cbl_mariner
cbl_mariner
CVE-2023-29400 affecting package golang for versions less than 1.20.7-1
2024-05-17 09:07:10
CVE-2023-24539 affecting package golang for versions less than 1.20.7-1
2024-05-17 09:07:16
CVE-2023-29400 affecting package msft-golang for versions less than 1.20.7-1
2024-05-17 09:07:16
osv
osv
Improper handling of empty HTML attributes in html/template
2023-05-05 21:10:24
BIT-golang-2023-29400
2024-03-06 10:55:58
CVE-2023-29400
2023-05-11 16:15:09
cgr
cgr
CVE-2023-29400 vulnerabilities
2024-05-17 09:07:10
CVE-2023-24539 vulnerabilities
2024-05-17 09:07:10
CVE-2023-24540 vulnerabilities
2024-05-17 09:07:10
veracode
veracode
Code Injection
2023-05-14 11:44:02
Command Injection
2023-05-14 12:08:29
Improper Sanitization
2023-05-14 11:44:15
prion
prion
Code injection
2023-05-11 16:15:00
Input validation
2023-05-11 16:15:00
Code injection
2023-05-11 16:15:00
redhatcve
redhatcve
CVE-2023-29400
2023-05-08 09:53:02
CVE-2023-24540
2023-05-08 09:52:44
CVE-2023-24539
2023-05-08 09:22:01
wolfi
wolfi
CVE-2023-29400 vulnerabilities
2024-05-17 09:07:10
CVE-2023-24540 vulnerabilities
2024-05-17 09:07:10
CVE-2023-24539 vulnerabilities
2024-05-17 09:07:10
ubuntucve
ubuntucve
CVE-2023-24539
2023-05-11 00:00:00
CVE-2023-29400
2023-05-11 00:00:00
CVE-2023-24540
2023-05-11 00:00:00
cvelist
cvelist
CVE-2023-24539 Improper sanitization of CSS values in html/template
2023-05-11 15:29:38
CVE-2023-29400 Improper handling of empty HTML attributes in html/template
2023-05-11 15:29:24
CVE-2023-24540 Improper handling of JavaScript whitespace in html/template
2023-05-11 15:29:31
debiancve
debiancve
CVE-2023-24539
2023-05-11 16:15:09
CVE-2023-29400
2023-05-11 16:15:09
CVE-2023-24540
2023-05-11 16:15:09
cve
cve
CVE-2023-29400
2023-05-11 16:15:09
CVE-2023-24539
2023-05-11 16:15:09
CVE-2023-24540
2023-05-11 16:15:09
almalinux
almalinux
Important: go-toolset and golang security update
2023-05-25 00:00:00
Important: go-toolset:rhel8 security update
2023-05-25 00:00:00
Moderate: toolbox security and bug fix update
2023-11-07 00:00:00
oraclelinux
oraclelinux
go-toolset and golang security update
2023-05-25 00:00:00
go-toolset:ol8 security update
2023-05-25 00:00:00
containernetworking-plugins security and bug fix update
2023-11-11 00:00:00
rocky
rocky
go-toolset:Rocky Linux8 security update
2023-05-25 17:22:28
redos
redos
ROS-20240418-06
2024-04-18 00:00:00

0.002 Low

EPSS

Percentile

51.0%

JSON
Related for 74F535A8CF66E38D33F2349CEE26ACB06F03ED8BAAE826CA354CD7ABE0CC3923
amazon3nessus60mageia1ibm19redhat27openvas10altlinux1photon3f51freebsd1ubuntu1alpinelinux3cbl_mariner8osv17cgr3veracode3prion3redhatcve3wolfi3ubuntucve3cvelist3debiancve3cve3almalinux8oraclelinux7rocky1redos1