Security Bulletin: Vulnerabilities in medikoo es5-ext and Node.js packages might affect IBM Storage Defender – Resiliency Service (CVE-2024-27088 and CVE-2024-28849)

Summary

IBM Storage Defender – Resiliency Service is vulnerable and that can result in denial of service. The vulnerabilities have been addressed.

Vulnerability Details

CVEID:CVE-2024-27088
**DESCRIPTION:**medikoo es5-ext is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw. By providing specially crafted regex input, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 0
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/284319 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N)

CVEID:CVE-2024-28849
**DESCRIPTION:**Node.js follow-redirects module could allow a remote authenticated attacker to obtain sensitive information, caused by the leakage of credentials when clearing authorization header during cross-domain redirect, but keeping the proxy-authentication header. An attacker could exploit this vulnerability to obtain credentials and other sensitive information.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/285690 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

Remediation/Fixes

The Connection Manager included with Defender 2.0.3 and newer provides the fixes. If using a version of the Connection Manager obtained from Defender 2.0.0 - 2.0.2 IBM strongly recommends upgrading. Instructions for upgrading can be found here.

Workarounds and Mitigations

None