Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBMAB0269F328A72DFA7F2DE2BB0EA2BCB9B9316CF2F0041B84ED7404E2839F2B2E
HistoryJul 01, 2022 - 7:05 a.m.

Security Bulletin: Remote code execution vulnerability affect IBM Business Automation Workflow - CVE-2021-43138

2022-07-0107:05:07
www.ibm.com
28

0.001 Low

EPSS

Percentile

48.1%

JSON

Summary

IBM Business Automation Workflow is vulnerable to a remote code execution attack.

Vulnerability Details

CVEID:CVE-2021-43138
**DESCRIPTION:**Async could allow a remote attacker to execute arbitrary code on the system, caused by prototype pollution in the mapValues() method. By persuading a victim to open a specially-crafted file, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 7.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/223605 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s) Version(s) Status
IBM Business Automation Workflow traditional V22.0.1 not affected
IBM Business Automation Workflow containers V22.0.1 not affected
IBM Business Automation Workflow traditional V21.0.3
V21.0.2 affected
IBM Business Automation Workflow containers V21.0.3
V21.0.2 affected
IBM Business Automation Workflow traditional V21.0.1
V20.0.0.1 - V20.0.0.2
V19.0.0.1 - V19.0.0.3
V18.0.0.0 - V18.0.0.1 not affected
IBM Business Automation Workflow containers V21.0.1
V20.0.0.1 - V20.0.0.2 not affected

Remediation/Fixes

The recommended solution is to apply the Interim Fix (iFix) or Cumulative Fix (CF) containing APAR JR64868 as soon as practical.

Affected Product(s) Version(s) Remediation / Fix
IBM Business Automation Workflow traditional V21.0.3 Apply JR64868 or upgrade to IBM Business Automation Workflow 22.0.1
IBM Business Automation Workflow Containers V21.0.3 Apply 21.0.3-IF010 or upgrade to IBM Business Automation Workflow 22.0.1
IBM Business Automation Workflow traditional V21.0.2 Apply JR64868 or upgrade to IBM Business Automation Workflow 22.0.1
IBM Business Automation Workflow Containers V21.0.2 Apply 21.0.2-IF012 or upgrade to IBM Business Automation Workflow 22.0.1

Workarounds and Mitigations

None

Related

ibm 21
veracode 1
osv 2
cvelist 1
github 1
debiancve 1
prion 1
redhatcve 1
cve 1
openvas 6
nessus 9
fedora 5
redhat 2
redos 1
ibm
ibm
Security Bulletin: Vulnerability in async opensource package affects IBM VM Recovery Manager HA & DR GUI
2022-07-20 16:54:39
Security Bulletin: IBM App Connect Enterprise Certified Container IntegrationServer operands that run Designer flows may be vulnerable to arbitrary code execution due to [CVE-2021-43138]
2023-04-28 11:45:00
Security Bulletin: IBM Robotic Process Automation is vulnerable to arbitrary code execution due to async (CVE-2021-43138)
2022-07-25 19:46:20
veracode
veracode
Prototype Pollution
2022-04-07 04:36:10
osv
osv
Prototype Pollution in async
2022-04-07 00:00:17
CVE-2021-43138
2022-04-06 17:15:08
cvelist
cvelist
CVE-2021-43138
2022-04-06 00:00:00
github
github
Prototype Pollution in async
2022-04-07 00:00:17
debiancve
debiancve
CVE-2021-43138
2022-04-06 17:15:00
prion
prion
Design/Logic Flaw
2022-04-06 17:15:00
redhatcve
redhatcve
CVE-2021-43138
2022-09-13 08:13:03
cve
cve
CVE-2021-43138
2022-04-06 17:15:00
openvas
openvas
Fedora: Security Advisory for yarnpkg (FEDORA-2023-ce8943223c)
2023-01-22 00:00:00
Fedora: Security Advisory for yarnpkg (FEDORA-2023-18fd476362)
2023-01-22 00:00:00
Fedora: Security Advisory for yarnpkg (FEDORA-2023-2e38c3756f)
2023-03-30 00:00:00
nessus
nessus
Fedora 36 : yarnpkg (2023-18fd476362)
2023-01-21 00:00:00
Fedora 37 : yarnpkg (2023-ce8943223c)
2023-01-21 00:00:00
SUSE SLES15 Security Update : release-notes-susemanager, release-notes-susemanager-proxy (SUSE-SU-2022:3761-1)
2023-09-20 00:00:00
fedora
fedora
[SECURITY] Fedora 37 Update: yarnpkg-1.22.19-3.fc37
2023-01-21 03:34:16
[SECURITY] Fedora 36 Update: yarnpkg-1.22.19-3.fc36
2023-01-21 03:43:23
[SECURITY] Fedora 36 Update: yarnpkg-1.22.19-5.fc36
2023-03-30 01:16:12
redhat
redhat
(RHSA-2023:3645) Moderate: Red Hat OpenShift Service Mesh 2.2.7 security update
2023-06-15 20:53:35
(RHSA-2023:0693) Moderate: Migration Toolkit for Containers (MTC) 1.7.7 security and bug fix update
2023-02-09 02:15:47
redos
redos
ROS-20240403-01
2024-04-03 00:00:00

0.001 Low

EPSS

Percentile

48.1%

JSON
Related for AB0269F328A72DFA7F2DE2BB0EA2BCB9B9316CF2F0041B84ED7404E2839F2B2E
ibm21veracode1osv2cvelist1github1debiancve1prion1redhatcve1cve1openvas6nessus9fedora5redhat2redos1