Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBMA9A6A76FC5FE3476D655B4AB62F5D5881AD9A59F2B0B4305AD8296DF32624BA8
HistoryNov 29, 2023 - 1:44 a.m.

Security Bulletin: IBM InfoSphere Information Server is affected by multiple vulnerabilities in Node.js lodash module

2023-11-2901:44:17
www.ibm.com
9
ibm infosphere
node.js
lodash
vulnerabilities
denial of service
command injection

7.4 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H

8.7 High

AI Score

Confidence

High

6.5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

0.01 Low

EPSS

Percentile

83.7%

JSON

Summary

Multiple vulnerabilities in Node.js lodash module used by IBM InfoSphere Information Server were addressed.

Vulnerability Details

CVEID:CVE-2020-28500
**DESCRIPTION:**Node.js lodash module is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) in the toNumber, trim and trimEnd functions. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/196972 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2020-8203
**DESCRIPTION:**Node.js lodash module is vulnerable to a denial of service, caused by a prototype pollution attack. A remote attacker could exploit this vulnerability using the merge, mergeWith, and defaultsDeep functions to inject properties onto Object.prototype to crash the server and possibly execute arbitrary code on the system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/183560 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2021-23337
**DESCRIPTION:**Node.js lodash module could allow a remote authenticated attacker to execute arbitrary commands on the system, caused by a command injection flaw in the template. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary commands on the system.
CVSS Base score: 7.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/196797 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
InfoSphere Information Server 11.7

Remediation/Fixes

Product VRMF APAR Remediation
InfoSphere Information Server, InfoSphere Information Server on Cloud 11.7 DT228820 --Apply IBM InfoSphere Information Server version 11.7.1.0
--Apply InfoSphere Information Server version 11.7.1.4
--Apply InfoSphere Information Server 11.7.1.4 Service pack 2

Workarounds and Mitigations

None

Related

ibm 60
nessus 12
redhat 14
f5 1
prion 3
github 4
osv 6
cve 3
redhatcve 3
veracode 3
ubuntucve 3
githubexploit 1
huntr 2
nodejs 1
debiancve 3
hackerone 1
redos 1
ics 1
checkpoint_advisories 1
oracle 7
ibm
ibm
Security Bulletin: IBM Engineering Workflow Management (EWM) vulnerabilities CVE-2020-28500, CVE-2021-23337, CVE-2020-8203
2023-03-27 17:21:35
Security Bulletin: Lodash versions prior to 4.17.21 vulnerability in PowerHA System Mirror for AIX
2022-03-23 11:04:44
Security Bulletin: Open Source Dependency Vulnerability
2023-05-15 18:53:15
nessus
nessus
RHEL 8 : Red Hat Virtualization Host security and bug fix update [ovirt-4.4.8] (Moderate) (RHSA-2021:3459)
2022-09-15 00:00:00
RHEL 8 : RHV Manager security update (ovirt-engine) [ovirt-4.4.6] (Moderate) (RHSA-2021:2179)
2021-06-01 00:00:00
WordPress 5.8 < 5.8.1 / 5.7 < 5.7.3 / 5.6 < 5.6.5 / 5.5 < 5.5.6 / 5.4 < 5.4.7 / 5.2 < 5.2.12
2021-09-09 00:00:00
redhat
redhat
(RHSA-2021:2179) Moderate: RHV Manager security update (ovirt-engine) [ovirt-4.4.6]
2021-06-01 11:44:38
(RHSA-2021:3459) Moderate: Red Hat Virtualization Host security and bug fix update [ovirt-4.4.8]
2021-09-08 11:04:34
(RHSA-2020:5611) Important: Red Hat Virtualization security, bug fix, and enhancement update
2020-12-17 08:43:33
f5
f5
K12492858 : Appliance mode authenticated F5 BIG-IP Guided Configuration third-party lodash and jQuery vulnerabilities CVE-2021-23337, CVE-2020-28500, and CVE-2016-7103
2022-05-06 00:00:00
prion
prion
Command injection
2021-02-15 13:15:00
Design/Logic Flaw
2021-02-15 11:15:00
Code injection
2020-07-15 17:15:00
github
github
Command Injection in lodash
2021-05-06 16:05:51
Regular Expression Denial of Service (ReDoS) in lodash
2022-01-06 20:30:46
Prototype Pollution in lodash
2020-07-15 19:15:48
osv
osv
Regular Expression Denial of Service (ReDoS) in lodash
2022-01-06 20:30:46
CVE-2021-23337
2021-02-15 13:15:12
CVE-2020-28500
2021-02-15 11:15:12
cve
cve
CVE-2020-28500
2021-02-15 11:15:00
CVE-2021-23337
2021-02-15 13:15:00
CVE-2020-8203
2020-07-15 17:15:00
redhatcve
redhatcve
CVE-2020-28500
2021-02-15 21:48:23
CVE-2021-23337
2021-02-15 21:45:02
CVE-2020-8203
2020-07-15 20:08:37
veracode
veracode
Command Injection
2021-02-16 01:50:12
Regular Expression Denial Of Service (ReDoS)
2021-02-16 04:13:54
Prototype Pollution
2020-04-28 09:42:14
ubuntucve
ubuntucve
CVE-2021-23337
2021-02-15 00:00:00
CVE-2020-28500
2021-02-15 00:00:00
CVE-2020-8203
2020-07-15 00:00:00
githubexploit
githubexploit
Exploit for Prototype Pollution in Lodash
2020-12-01 09:45:48
huntr
huntr
Inefficient Regular Expression Complexity in liriliri/licia
2021-07-18 15:31:06
Lodash 4.17.15 in use which is vulnerable to CVE-2020-8203
2023-02-20 02:52:19
nodejs
nodejs
Command Injection
2021-05-06 16:14:39
debiancve
debiancve
CVE-2021-23337
2021-02-15 13:15:00
CVE-2020-28500
2021-02-15 11:15:00
CVE-2020-8203
2020-07-15 17:15:00
hackerone
hackerone
Node.js third-party modules: Prototype pollution attack (lodash)
2019-10-11 12:06:20
redos
redos
ROS-20240418-08
2024-04-18 00:00:00
ics
ics
Siemens SINEC INS
2022-09-15 12:00:00
checkpoint_advisories
checkpoint_advisories
JavaScript Prototype Pollution (CVE-2020-28269; CVE-2020-28272; CVE-2020-28273; CVE-2020-28442; CVE-2020-28458; CVE-2020-28472; CVE-2020-7778; CVE-2020-8158; CVE-2020-8203; CVE-2021-25912; CVE-2021-44906)
2020-06-21 00:00:00
oracle
oracle
Oracle Critical Patch Update Advisory - January 2022
2022-01-18 00:00:00
Oracle Critical Patch Update Advisory - October 2021
2021-10-19 00:00:00
Oracle Critical Patch Update Advisory - July 2022
2022-07-19 00:00:00

7.4 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H

8.7 High

AI Score

Confidence

High

6.5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

0.01 Low

EPSS

Percentile

83.7%

JSON
Related for A9A6A76FC5FE3476D655B4AB62F5D5881AD9A59F2B0B4305AD8296DF32624BA8
ibm60nessus12redhat14f51prion3github4osv6cve3redhatcve3veracode3ubuntucve3githubexploit1huntr2nodejs1debiancve3hackerone1redos1ics1checkpoint_advisories1oracle7