Lucene search

K
ibmIBM923D57BC9BC8A654D6235E82B961625A1D1DF4832FC5B9EF630C883D90272B5B
HistoryNov 09, 2021 - 6:31 p.m.

Security Bulletin: A security vulnerability in Node.js tar module affects IBM Cloud Pak for Multicloud Management Managed Services

2021-11-0918:31:55
www.ibm.com
11

0.007 Low

EPSS

Percentile

80.2%

Summary

A security vulnerability in Node.js tar module affects IBM Cloud Pak for Multicloud Management Managed Services.

Vulnerability Details

CVEID:CVE-2021-32804
**DESCRIPTION:**Node.js tar module could allow a local attacker to traverse directories on the system, caused by insufficient absolute path sanitization. An attacker could use a specially-crafted tar file containing “dot dot” sequences (/…/) to create or overwrite arbitrary files on the system.
CVSS Base score: 8.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/206719 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Cloud Pak for Multicloud Management Infrastructure Management All

Remediation/Fixes

Upgrade to IBM Cloud Pak for Multicloud Management 2.3.x Fix Pack 2 by following the instructions at <https://www.ibm.com/docs/en/cloud-paks/cp-management/2.3.x?topic=upgrade-upgrading-fix-pack-2.&gt;

Workarounds and Mitigations

None