Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM7FD9F7FFE1C0EF8F68DFE234A094535CE5CD56211AA4CA79732A71BF6B3C0262
HistoryDec 08, 2020 - 6:37 a.m.

Security Bulletin: OSS security Scan issues for Concerto installer.

2020-12-0806:37:17
www.ibm.com
32

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

JSON

Summary

Fixed in IBM Netezza for Cloud Pak for Data 11.1.1.0

Vulnerability Details

CVEID:CVE-2018-19838
**DESCRIPTION:**LibSass is vulnerable to a denial of service, caused by a stack-based buffer overflow in the IMPLEMENT_AST_OPERATORS expansion in ast.cpp. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 3.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/153722 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID:CVE-2018-20822
**DESCRIPTION:**LibSass is vulnerable to a denial of service, caused by uncontrolled recursion in Sass::Complex_Selector::perform in ast.hpp and Sass::Inspect::operator in inspect.cpp. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 3.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/161650 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID:CVE-2018-19839
**DESCRIPTION:**LibSass is vulnerable to a denial of service, caused by a heap-based buffer over-read in the handle_error function in sass_context.cpp. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 3.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/153723 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID:CVE-2018-11499
**DESCRIPTION:**LibSass is vulnerable to a denial of service, caused by a use-after-free in handle_error() in sass_context.cpp. A remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/143880 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2017-16119
**DESCRIPTION:**Node.js fresh module is vulnerable to regular expression denial of service when passing untrusted user input. A remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/135866 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2019-20149
**DESCRIPTION:**kind-of could allow a remote attacker to bypass security restrictions, caused by improper validation of user supplied input in ctorName in index.js. By sending a specially-crafted payload, an attacker could exploit this vulnerability to overwrite the builtin attribute to manipulate the type detection result.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/173669 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2020-8116
**DESCRIPTION:**Node.js dot-prop could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system or cause a denial of service.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/175850 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2020-7598
**DESCRIPTION:**minimist could provide weaker than expected security, caused by a prototype pollution flaw. By sending a specially crafted request, a remote attacker could exploit this vulnerability to add or modify properties of Object.prototype.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/177780 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2018-11697
**DESCRIPTION:**LibSaas could allow a remote attacker to obtain sensitive information, caused by an out-of-bounds read of a memory region in the function Sass::Prelexer::exactly(). By using a specially-crafted file, a remote attacker could exploit this vulnerability to obtain sensitive information or cause a denial of service.
CVSS Base score: 4.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/144302 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L)

CVEID:CVE-2020-8203
**DESCRIPTION:**Node.js lodash module is vulnerable to a denial of service, caused by a prototype pollution attack. A remote attacker could exploit this vulnerability using the merge, mergeWith, and defaultsDeep functions to inject properties onto Object.prototype to crash the server and possibly execute arbitrary code on the system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/183560 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2019-6286
**DESCRIPTION:**LibSass is vulnerable to a denial of service, caused by a heap-based buffer over-read in Sass::Prelexer::skip_over_scopes in prelexer.hpp. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 3.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/155592 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID:CVE-2019-6283
**DESCRIPTION:**LibSass is vulnerable to a denial of service, caused by a heap-based buffer over-read in Sass::Prelexer::parenthese_scope in prelexer.hpp. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 3.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/155594 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID:CVE-2019-6284
**DESCRIPTION:**LibSass is vulnerable to a denial of service, caused by a heap-based buffer over-read in Sass::Prelexer::alternatives in prelexer.hpp. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 3.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/155593 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID:CVE-2018-11698
**DESCRIPTION:**LibSaas could allow a remote attacker to obtain sensitive information, caused by an out-of-bounds read of a memory region in the function Sass::handle_error. By using a specially-crafted file, a remote attacker could exploit this vulnerability to obtain sensitive information or cause a denial of service.
CVSS Base score: 4.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/144297 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L)

CVEID:CVE-2018-19827
**DESCRIPTION:**Libsass is vulnerable to a denial of service, caused by a use after free in the SharedPtr class in SharedPtr.cpp. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 3.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/153718 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID:CVE-2018-19797
**DESCRIPTION:**LibSass is vulnerable to a denial of service, caused by a NULL pointer dereference in the function Sass::Selector_List::populate_extends in SharedPtr.hpp. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 3.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/153652 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Netezza for Cloud Pak for Data All

Remediation/Fixes

upgrade to

IBM Netezza for Cloud Pak for Data 11.1.1.0

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm cloud pak for dataeq11.1.1.0

Related

ibm 23
suse 4
nessus 21
openvas 7
mageia 1
osv 25
ubuntu 1
ubuntucve 16
prion 16
redhatcve 17
debiancve 16
veracode 7
cve 16
githubexploit 3
github 6
nodejs 2
hackerone 2
huntr 1
redhat 10
thn 1
redos 1
rocky 2
almalinux 1
ibm
ibm
Security Bulletin: Open Source Security issues for NPS console.
2020-12-15 07:03:03
Security Bulletin: OSS scan fixes for Content pos
2020-12-15 06:58:30
Security Bulletin: IBM Security Verify Information Queue uses a Node.js package with multiple vulnerabilities
2021-02-10 16:34:41
suse
suse
Security update for libsass (moderate)
2019-07-23 00:00:00
Security update for libsass (moderate)
2019-08-14 00:00:00
Security update for libsass (moderate)
2019-07-24 00:00:00
nessus
nessus
openSUSE Security Update : libsass (openSUSE-2019-1791)
2019-07-24 00:00:00
Ubuntu 18.04 ESM : LibSass vulnerabilities (USN-4837-1)
2023-10-20 00:00:00
RHEL 8 : Red Hat Virtualization (RHSA-2020:5611)
2020-12-18 00:00:00
openvas
openvas
Mageia: Security Advisory (MGASA-2020-0049)
2022-01-28 00:00:00
openSUSE: Security Advisory for libsass (openSUSE-SU-2019:1791-1)
2019-07-24 00:00:00
Ubuntu: Security Advisory (USN-4837-1)
2023-01-27 00:00:00
mageia
mageia
Updated libsass packages fix security vulnerabilities
2020-01-28 10:52:40
osv
osv
libsass vulnerabilities
2021-03-15 22:19:52
CVE-2018-19839
2018-12-04 09:29:00
CVE-2018-19827
2018-12-03 19:29:00
ubuntu
ubuntu
LibSass vulnerabilities
2021-03-15 00:00:00
ubuntucve
ubuntucve
CVE-2018-20822
2019-04-23 00:00:00
CVE-2018-19827
2018-12-03 00:00:00
CVE-2018-19838
2018-12-04 00:00:00
prion
prion
Heap overflow
2018-12-04 09:29:00
Design/Logic Flaw
2019-04-23 14:29:00
Design/Logic Flaw
2018-12-04 09:29:00
redhatcve
redhatcve
CVE-2018-20822
2019-05-14 12:22:54
CVE-2018-19838
2019-05-14 12:09:55
CVE-2018-19827
2019-05-14 12:26:32
debiancve
debiancve
CVE-2018-19838
2018-12-04 09:29:00
CVE-2018-20822
2019-04-23 14:29:00
CVE-2018-19827
2018-12-03 19:29:00
veracode
veracode
Denial Of Service (DoS)
2019-05-06 02:18:33
Denial Of Service (DoS)
2020-01-17 06:53:25
Prototype Pollution
2019-12-17 02:47:19
cve
cve
CVE-2018-20822
2019-04-23 14:29:00
CVE-2018-19827
2018-12-03 19:29:00
CVE-2018-19838
2018-12-04 09:29:00
githubexploit
githubexploit
Exploit for Exposure of Resource to Wrong Sphere in Kind-Of Project Kind-Of
2020-12-01 09:18:58
Exploit for Prototype Pollution in Lodash
2020-12-01 09:45:48
Exploit for Prototype Pollution in Dot-Prop Project Dot-Prop
2020-12-01 09:45:48
github
github
Validation Bypass in kind-of
2020-03-31 15:59:54
Prototype Pollution in lodash
2020-07-15 19:15:48
Prototype Pollution in minimist
2020-04-03 21:48:32
nodejs
nodejs
Regular Expression Denial of Service
2017-09-08 20:23:54
Prototype Pollution
2019-10-14 17:43:55
hackerone
hackerone
Node.js third-party modules: Prototype pollution attack (lodash)
2019-10-11 12:06:20
Node.js third-party modules: Prototype pollution in dot-prop
2019-10-22 12:06:11
huntr
huntr
Lodash 4.17.15 in use which is vulnerable to CVE-2020-8203
2023-02-20 02:52:19
redhat
redhat
(RHSA-2020:5611) Important: Red Hat Virtualization security, bug fix, and enhancement update
2020-12-17 08:43:33
(RHSA-2020:3042) Important: nodejs:10 security update
2020-07-21 14:15:40
(RHSA-2020:5179) Low: Red Hat Virtualization security, bug fix, and enhancement update
2020-11-24 12:30:25
thn
thn
Solving the indirect vulnerability enigma - fixing indirect vulnerabilities without breaking your dependency tree
2022-07-01 09:45:00
redos
redos
ROS-20240418-08
2024-04-18 00:00:00
rocky
rocky
nodejs:10 security update
2020-07-07 08:51:24
nodejs:12 security update
2020-07-07 08:52:35
almalinux
almalinux
Important: nodejs:10 security update
2020-07-07 08:51:24

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

JSON
Related for 7FD9F7FFE1C0EF8F68DFE234A094535CE5CD56211AA4CA79732A71BF6B3C0262
ibm23suse4nessus21openvas7mageia1osv25ubuntu1ubuntucve16prion16redhatcve17debiancve16veracode7cve16githubexploit3github6nodejs2hackerone2huntr1redhat10thn1redos1rocky2almalinux1