Security Bulletin: Multiple Vulnerabilities may affect IBM Robotic Process Automation

Summary

Security Bulletin: Multiple Vulnerabilities may affect IBM Robotic Process Automation

Vulnerability Details

CVEID:CVE-2017-0247
**DESCRIPTION:**Microsoft ASP.NET Core is vulnerable to a denial of service, caused by improper validation of web requests in the TextEncoder.EncodeCore function. By inserting specially-crafted content into any system using the function to encode content, a remote attacker could exploit this vulnerability to prevent any page delivering the content from loading.
CVSS Base score: 3.6
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/125297 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:L)

CVEID:CVE-2018-1002205
**DESCRIPTION:**DotNetZip.Semvered could allow a remote attacker to traverse directories on the system. By persuading a victim to extract a specially-crafted ZIP archive containing “dot dot slash” sequences (…/), an attacker could exploit this vulnerability to write to arbitrary files on the system. Note: This vulnerability is known as “Zip-Slip”
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/147549 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)

CVEID:CVE-2018-8269
**DESCRIPTION:**Microsoft OData Library is vulnerable to a denial of service, caused by improper handling of web requests. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/149668 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2019-1301
**DESCRIPTION:**Microsoft .NET Core is vulnerable to a denial of service, caused by improper validation of user-supplied input. By sending a specially-crafted request, an attacker could exploit this vulnerability to cause the application to stop responding.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/166121 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2020-1045
**DESCRIPTION:**Microsoft ASP.NET Core could allow a remote attacker to bypass security restrictions, caused by an error when parsing encoded cookie names. By sending a specially-crafted request, an attacker could exploit this vulnerability to set a second cookie with the name being percent encoded.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/187294 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

CVEID:CVE-2020-11022
**DESCRIPTION:**jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the jQuery.htmlPrefilter method. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/181349 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID:CVE-2020-13956
**DESCRIPTION:**Apache HttpClient could allow a remote attacker to bypass security restrictions, caused by the improper handling of malformed authority component in request URIs. By passing request URIs to the library as java.net.URI object, an attacker could exploit this vulnerability to pick the wrong target host for request execution.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/189572 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2021-26701
**DESCRIPTION:**Microsoft .NET Core and Visual Studio could allow a remote attacker to execute arbitrary code on the system. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system with elevated privileges.
CVSS Base score: 8.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/196358 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2021-27293
**DESCRIPTION:**RestSharp is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw when converting strings into DateTimes. By using a specially-crafted regex input in the server response string, a remote attacker could exploit this vulnerability to cause processing to take an exceedingly long time.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/205246 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2021-34532
**DESCRIPTION:**Microsoft ASP.NET Core and Visual Studio could allow a local authenticated attacker to obtain sensitive information. By executing a specially-crafted program, an attacker could exploit this vulnerability to obtain sensitive information and then use this information to launch further attacks against the affected system.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/206380 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2021-3801
**DESCRIPTION:**Prismjs prism is vulnerable to a denial of service, caused by the inefficient regular expression complexity. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/209459 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2021-3807
**DESCRIPTION:**Chalk ansi-regex module for Node.js is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw. By sending a specially-crafted regex input, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/209596 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2021-41184
**DESCRIPTION:**jQuery jQuery-UI is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the .position() function. A remote attacker could exploit this vulnerability using the of parameter to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 7.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/212277 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N)

Affected Products and Versions

Remediation/Fixes

Workarounds and Mitigations

None