Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM77E360F7DD0736FD4057347774BDA43D4B9319BD904A00ABC3A8EF628BBC20EE
HistoryAug 08, 2023 - 10:40 a.m.

Security Bulletin: Multiple vulnerabilities found on thirdparty libraries used by IBM® MobileFirst Platform

2023-08-0810:40:19
www.ibm.com
21
ibm mobilefirst platform
multiple vulnerabilities
open source libraries
hutool
fasterxml jackson-databind
jose4j

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.001 Low

EPSS

Percentile

31.1%

JSON

Summary

There are multiple vulnerabilities in open source libraries used by IBM MobileFirst Platform Foundation. They are addressed in this update.

Vulnerability Details

CVEID:CVE-2022-45688
**DESCRIPTION:**Hutool is vulnerable to a denial of service, caused by stack-based buffer overflow. By persuading a specially crafted request, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/242881 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2023-35116
**DESCRIPTION:**Fasterxml jackson-databind is vulnerable to a denial of service, caused by a stack-based overflow. By persuading a victim to open a specially crafted content, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/258157 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

**IBM X-Force ID:**254437
**DESCRIPTION:**Jose4J could allow a remote attacker to obtain sensitive information, caused by a chosen ciphertext attack in RSA1_5. By using cryptographic attack techniques, an attacker could exploit this vulnerability to decrypt RSA1_5 or RSA_OAEP encrypted ciphertexts.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/254437 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
IBM MobileFirst Foundation 8.x.x

Remediation/Fixes

Product(s) Version Number(s) and/or range Remediation/Fix/Instructions
IBM MobileFirst Platform Foundation 8.0.0.0 iFix build 8.0.0.0-MFPF-IF202307260922 build includes fixes to resolve vulnerable third party libraries.

Please download from Fix Central

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmmobilefirst_platform_foundationMatch8.0.0.0

Related

nvd 2
osv 2
prion 2
atlassian 2
ibm 43
broadcom 1
cvelist 2
cve 2
github 1
gitlab 1
veracode 1
nessus 13
ubuntucve 1
debiancve 1
redhatcve 1
redhat 5
oracle 3
nvd
nvd
CVE-2022-45688
2022-12-13 15:15:11
CVE-2023-35116
2023-06-14 14:15:10
osv
osv
json stack overflow vulnerability
2022-12-13 15:30:26
CVE-2022-45688
2022-12-13 15:15:11
prion
prion
Stack overflow
2022-12-13 15:15:00
Code injection
2023-06-14 14:15:00
atlassian
atlassian
hutool-json Vulnerability in Bitbucket Data Center and Server
2023-10-04 19:45:14
DoS (Denial of Service) org.json:json Dependency in Jira Software Data Center and Server
2024-02-14 10:45:52
ibm
ibm
Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a denial of service in Hutool [ CVE-2022-45688]
2023-11-30 18:48:10
Security Bulletin: IBM Sterling Partner Engagement Manager is vulnerable to denial of service due to Hutool (CVE-2022-45688)
2024-03-12 17:33:14
Security Bulletin: Vulnerability in Hutool affects IBM Process Mining . CVE-2022-45688
2023-10-09 10:46:05
broadcom
broadcom
CVE-2022-45688 -A stack overflow in the XML.toJSONObject component of hutool-json v5.8.10
2023-09-08 00:00:00
cvelist
cvelist
CVE-2022-45688
2022-12-13 00:00:00
CVE-2023-35116
2023-06-14 00:00:00
cve
cve
CVE-2022-45688
2022-12-13 15:15:11
CVE-2023-35116
2023-06-14 14:15:10
github
github
json stack overflow vulnerability
2022-12-13 15:30:26
gitlab
gitlab
hutool-json stack overflow vulnerability
2022-12-13 00:00:00
veracode
veracode
Denial Of Service (DoS)
2022-12-14 05:26:26
nessus
nessus
RHEL 6 : jackson-databind (Unpatched Vulnerability)
2024-06-03 00:00:00
Amazon Linux 2023 : jackson-core (ALAS2023-2023-248)
2023-07-20 00:00:00
RHEL 9 : jackson-databind (Unpatched Vulnerability)
2024-06-03 00:00:00
ubuntucve
ubuntucve
CVE-2023-35116
2023-06-14 00:00:00
debiancve
debiancve
CVE-2023-35116
2023-06-14 14:15:00
redhatcve
redhatcve
CVE-2023-35116
2023-08-22 17:50:09
redhat
redhat
(RHSA-2024:2707) Important: Red Hat Build of Apache Camel security update
2024-05-06 14:08:42
(RHSA-2023:5396) Moderate: Red Hat Data Grid 8.4.4 security update
2023-09-28 11:54:13
(RHSA-2024:0777) Important: jenkins and jenkins-2-plugins security update
2024-02-12 10:20:42
oracle
oracle
Oracle Critical Patch Update Advisory - October 2023
2023-10-17 00:00:00
Oracle Critical Patch Update Advisory - April 2024
2024-04-16 00:00:00
Oracle Critical Patch Update Advisory - July 2023
2023-07-18 00:00:00

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.001 Low

EPSS

Percentile

31.1%

JSON
Related for 77E360F7DD0736FD4057347774BDA43D4B9319BD904A00ABC3A8EF628BBC20EE
nvd2osv2prion2atlassian2ibm43broadcom1cvelist2cve2github1gitlab1veracode1nessus13ubuntucve1debiancve1redhatcve1redhat5oracle3