Lucene search

K
ibmIBM83BEAE016A4ABD4FF346942DB25C3402A9F41C06DCE8690EF6135DC71C501718
HistoryApr 30, 2021 - 1:20 p.m.

Security Bulletin: IBM App Connect Enterprise Certified Container may be vulnerable to a command injection vulnerability (CVE-2021-23337)

2021-04-3013:20:58
www.ibm.com
5

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

6.5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

0.006 Low

EPSS

Percentile

75.4%

Summary

App Connect Enterprise may be vulnerable to a command injection vulnerability due to Node.js module lodash

Vulnerability Details

CVEID:CVE-2021-23337
**DESCRIPTION:**Node.js lodash module could allow a remote authenticated attacker to execute arbitrary commands on the system, caused by a command injection flaw in the template. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary commands on the system.
CVSS Base score: 7.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/196797 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
App Connect Enterprise Certified Container 1.0 with Operator
App Connect Enterprise Certified Container 1.1 with Operator
App Connect Enterprise Certified Container 1.2 with Operator
App Connect Enterprise Certified Container 1.3 with Operator

Remediation/Fixes

App Connect Enterprise Certified Container 1.0, 1.2 and 1.3 CD

Upgrade to App Connect Enterprise Certified Container to Operator version 1.4.0 (available in CASE 1.4.0) or higher, and ensure that all components are at 11.0.0.12-r1 or higher.

App Connect Enterprise Certified Container 1.1 LTS

Upgrade to App Connect Enterprise Certified Container Operator version 1.1.1 EUS (available in CASE 1.1.1) or higher, and ensure that all components are at 11.0.0.12-r1-eus or higher.

Workarounds and Mitigations

None

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

6.5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

0.006 Low

EPSS

Percentile

75.4%

Related for 83BEAE016A4ABD4FF346942DB25C3402A9F41C06DCE8690EF6135DC71C501718