7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.009 Low
EPSS
Percentile
82.3%
IBM App Connect Enterprise & IBM Integration Bus are vulnerable to a denial of service due to node.js module qs [CVE-2022-24999]. The vulnerability has been addressed
CVEID:CVE-2022-24999
**DESCRIPTION:**Express.js Express is vulnerable to a denial of service, caused by a prototype pollution flaw in qs. By adding or modifying properties of Object.prototype using a proto or constructor payload, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/240815 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Affected Product(s) | Version(s) |
---|---|
IBM App Connect Enterprise | v12.0.1.0 - v12.0.4.0 |
IBM App Connect Enterprise | v11.0.0.1 - v11.0.0.16 |
IBM Integration Bus | v10.1 |
IBM Integration Bus | v10.0.0.0 - v10.0.0.26 |
IBM strongly recommends addressing the vulnerability/vulnerabilities now by applying the appropriate fix to IBM Integration Bus
Product(s)
|
Version(s)
|
APAR
|
Remediation / Fix
—|—|—|—
IBM App Connect Enterprise
|
v12.0.1.0 - v12.0.4.0
|
IT43350
|
The APAR IT43350 is available in fix pack 12.0.5.0
IBM App Connect Enterprise - 12.0.5.0
IBM App Connect Enterprise
|
v11.0.0.1 - v11.0.0.16
|
IT43350
|
The APAR IT43350 is available in fix pack 11.0.0.17
IBM App Connect Enterprise - 11.0.0.17
IBM Integration Bus
|
v10.1
|
IT43350
|
*See Workarounds and Mitigations
IBM Integration Bus
|
v10.0.0.0 - v10.0.0.26
|
IT43350
|
*See Workarounds and Mitigations
IBM strongly recommends addressing the vulnerability/vulnerabilities now by applying the appropriate fix to IBM Integration Bus
For IBM Integration Bus v10.1, v10.0.0.24 and subsequent v10.0 fix packs users can disable node js.
Refer to
''Disabling Node.js in IBM Integration Bus v10.1, v10.0.0.24 and subsequent v10.0 fix packs ’
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.009 Low
EPSS
Percentile
82.3%