IBMAA99CD4C8563D20F27AD490BF7376404E24E70FEECF0D6559CFC2D72A50AF4E6Security Bulletin: Vulnerabilities in Jinja, idna & cryptography can affect IBM Storage Protect Plus Microsoft File Systems Backup and Restore
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.4 High
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
15.7%
Summary
IBM Storage Protect Plus Microsoft File Systems Backup and Restore can be affected by vulnerabilities in Jinja, idna & cryptography which include cross-site scripting & a denial of service, as described by the CVEs in the “Vulnerability Details” section. These vulnerabilities have been addressed. CVE-2024-34064, CVE-2024-3651, CVE-2024-26130
Vulnerability Details
CVEID:CVE-2024-34064
**DESCRIPTION:**Jinja is vulnerable to cross-site scripting, caused by the acceptance of keys containing non-attribute characters by the xmlattr filter. A remote attacker could exploit this vulnerability to inject other attributes into a Web page which would be executed in a victims Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/290008 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
CVEID:CVE-2024-3651
**DESCRIPTION:**idna could allow a local user to cause a denial of service using a specially crafted argument to the idna.encode() function and consume system resources.
CVSS Base score: 6.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/289330 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2024-26130
**DESCRIPTION:**cryptography is vulnerable to a denial of service, caused by a NULL pointer dereference in the pkcs12.serialize_key_and_certificates process. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/283820 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM Storage Protect Plus File Systems Agent | 10.1.6 - 10.1.16.1 |
Remediation/Fixes
| Affected Versions | **Fixing **Level | Platform | Link to Fix |
|---|---|---|---|
| 10.1.6 - 10.1.16.1 | 10.1.16.2 |
Windows
| https://www.ibm.com/support/pages/node/6330495
Workarounds and Mitigations
None
Affected configurations
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.4 High
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
15.7%