IBM Db2® REST is affected by multiple vulnerabilities found in Golang. IBM has addressed the vulnerabilities.
CVEID:CVE-2023-24540
**DESCRIPTION:**Go is vulnerable to HTML injection. A remote attacker could inject malicious HTML code into a template containing whitespace characters outside of the character set “\t\n\f\r\u0020\u2028\u2029”, which when viewed, would execute in the victim’s Web browser within the security context of the hosting site.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/256132 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID:CVE-2023-29400
**DESCRIPTION:**Go is vulnerable to HTML injection. A remote attacker could inject malicious HTML code into the templates, which when parsed, would execute in the victim’s Web browser within the security context of the hosting site.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/255427 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
CVEID:CVE-2023-24539
**DESCRIPTION:**Go is vulnerable to HTML injection. A remote attacker could inject malicious HTML code into a template containing multiple actions separated by a ‘/’ character, which when viewed, would execute in the victim’s Web browser within the security context of the hosting site.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/256136 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
All platforms of the following IBM® Db2® REST levels are affected:
Affected Product(s) | Version(s) |
---|---|
Db2 Rest |
1.0.0.121-amd64-1.0.0.268-amd64
IBM strongly recommends addressing the vulnerability now by upgrading to the latest IBM® Db2® REST release containing the fix for these issues.
Product(s) | Fixed in Version(s) |
---|---|
Db2 REST |
1.0.0.276-amd64
latest-amd64
Follow the instructions below to download IBM Db2 REST from the IBM Cloud Container Registry.
<https://www.ibm.com/docs/en/db2/11.5?topic=endpoints-downloading-rest-service>
None
CPE | Name | Operator | Version |
---|---|---|---|
db2 for linux, unix and windows | eq | any |