Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBMB8C4BDE78039C235DB5ABE09DBC6F1D98FBA33CF267BC6664D1BC3488188161A
HistoryOct 11, 2023 - 2:07 p.m.

Security Bulletin: Multiple security vulnerabilities are addressed with IBM Business Automation Manager Open Editions 8.0.4

2023-10-1114:07:06
www.ibm.com
18
ibm business automation manager
open editions
8.0.4
security vulnerabilities
denial of service
bypassing security restrictions

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

0.003 Low

EPSS

Percentile

70.0%

JSON

Summary

In addition to updates of open source dependencies, the following security vulnerabilities are addressed with IBM Business Automation Manager Open Editions 8.0.4

Vulnerability Details

CVEID:CVE-2023-20883
**DESCRIPTION:**VMware Tanzu Spring Boot is vulnerable to a denial of service, caused by a flaw when Spring MVC is used together with a reverse proxy cache. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/255809 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2023-4853
**DESCRIPTION:**Quarkus could allow a remote attacker to bypass security restrictions, caused by improper sanitization of requests. By sending a specially crafted request, an attacker could exploit this vulnerability to bypass the security policy altogether.
CVSS Base score: 8.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/266748 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2022-37599
**DESCRIPTION:**loader-utils is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in the interpolateName.js script. By sending specially-crafted regex input, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/238443 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2023-20860
**DESCRIPTION:**VMware Tanzu Spring Framework could allow a remote attacker to bypass security restrictions, caused by the use of an un-prefixed double wildcard pattern with the mvcRequestMatcher in Spring Security configuration. An attacker could exploit this vulnerability to create a mismatch in pattern matching between Spring Security and Spring MVC.
CVSS Base score: 9.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/250679 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Business Automation Manager Open Editions 8.0.0
IBM Business Automation Manager Open Editions 8.0.1
IBM Business Automation Manager Open Editions 8.0.2
IBM Business Automation Manager Open Editions 8.0.3

Remediation/Fixes

IBM strongly suggests the following remediation / fix: Product(s) Version(s) Remediation/Fix
IBM Business Automation Manager Open Editions 8.0.0, 8.0.1, 8.0.2, 8.0.3 Download 8.0.4 and follow instructions.

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmbusiness_automation_workflowMatch8.0.4

Related

osv 8
ibm 49
redhatcve 5
debiancve 2
veracode 4
nvd 4
ubuntucve 2
prion 4
cvelist 4
spring 2
cve 4
github 4
redhat 22
nessus 15
openvas 7
githubexploit 1
atlassian 1
f5 1
fedora 2
oracle 4
osv
osv
Spring Boot Welcome Page Denial of Service
2023-05-26 18:30:21
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS)
2022-10-12 12:00:27
CVE-2022-37599
2022-10-11 19:15:11
ibm
ibm
Security Bulletin: VMware Tanzu Spring Boot is vulnerable to CVE-2023-20883 used in IBM Maximo Application Suite - Monitor Component
2023-07-24 20:52:47
Security Bulletin: Open Source Dependency Vulnerability
2023-05-15 18:46:35
Security Bulletin: Automation Assets in IBM Cloud Pak for Integration is vulnerable to denial of service due to loader-utils CVE-2022-37599
2023-01-03 09:16:42
redhatcve
redhatcve
CVE-2022-37599
2023-05-23 10:40:04
CVE-2023-20883
2023-05-23 15:10:48
CVE-2023-4853
2023-09-08 19:35:42
debiancve
debiancve
CVE-2022-37599
2022-10-11 19:15:11
CVE-2023-20860
2023-03-27 22:15:21
veracode
veracode
Regular Expression Denial Of Service (ReDoS)
2022-10-12 02:12:19
Security Bypass
2023-03-30 02:11:25
Incorrect Authorization
2024-04-02 05:59:45
nvd
nvd
CVE-2022-37599
2022-10-11 19:15:11
CVE-2023-20860
2023-03-27 22:15:21
CVE-2023-20883
2023-05-26 17:15:14
ubuntucve
ubuntucve
CVE-2023-20860
2023-03-27 00:00:00
CVE-2022-37599
2022-10-11 00:00:00
prion
prion
Denial of service
2022-10-11 19:15:00
Design/Logic Flaw
2023-09-20 10:15:00
Default configuration
2023-05-26 17:15:00
cvelist
cvelist
CVE-2023-20883
2023-05-26 00:00:00
CVE-2022-37599
2022-10-11 00:00:00
CVE-2023-4853 Quarkus: http security policy bypass
2023-09-20 09:47:32
spring
spring
This Week in Spring - May 23rd, 2023
2023-05-23 00:00:00
This Week in Spring - March 21st, 2023
2023-03-21 00:00:00
cve
cve
CVE-2022-37599
2022-10-11 19:15:11
CVE-2023-4853
2023-09-20 10:15:14
CVE-2023-20883
2023-05-26 17:15:14
github
github
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS)
2022-10-12 12:00:27
Quarkus HTTP vulnerable to incorrect evaluation of permissions
2023-09-20 12:30:22
Spring Boot Welcome Page Denial of Service
2023-05-26 18:30:21
redhat
redhat
(RHSA-2023:5170) Important: Red Hat build of Quarkus 2.13.8 release and security update
2023-09-14 14:29:11
(RHSA-2023:5479) Important: Release of OpenShift Serverless Client kn 1.30.1 security update
2023-10-05 14:09:08
(RHSA-2023:4200) Important: Red Hat Build of OptaPlanner 8.38.0 for Quarkus 2.13.8 security update
2023-07-18 13:47:15
nessus
nessus
RHEL 8 : Release of OpenShift Serverless Client kn 1.30.1 (RHSA-2023:5479)
2024-04-28 00:00:00
Spring Framework 5.3.x < 5.3.26 / 6.0.x < 6.0.7 Security Bypass (CVE-2023-20860)
2023-05-04 00:00:00
RHEL 8 : Red Hat Virtualization (RHSA-2023:3771)
2023-06-22 00:00:00
openvas
openvas
VMware Spring Boot < 2.5.15, 2.6.x < 2.6.15, 2.7.x < 2.7.12, 3.0.x < 3.0.7 DoS Vulnerability
2023-05-22 00:00:00
VMware Spring Framework 5.3.x < 5.3.26, 6.0.x < 6.0.7 Security Bypass Vulnerability - Windows
2023-03-21 00:00:00
VMware Spring Framework < 5.2.23, 5.3.x < 5.3.26, 6.0.x < 6.0.7 DoS Vulnerability - Windows
2023-03-21 00:00:00
githubexploit
githubexploit
Exploit for CVE-2023-20860
2023-03-24 07:23:52
atlassian
atlassian
Upgrade spring-core for CVE-2023-20860
2023-05-17 06:46:56
f5
f5
K000134500 : Spring Framework vulnerability CVE-2023-20860
2023-05-08 00:00:00
fedora
fedora
[SECURITY] Fedora 39 Update: yarnpkg-1.22.21-2.fc39
2024-02-28 01:10:55
[SECURITY] Fedora 38 Update: yarnpkg-1.22.21-2.fc38
2024-02-28 01:41:33
oracle
oracle
Oracle Critical Patch Update Advisory - October 2023
2023-10-17 00:00:00
Oracle Critical Patch Update Advisory - January 2024
2024-01-16 00:00:00
Oracle Critical Patch Update Advisory - April 2024
2024-04-16 00:00:00

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

0.003 Low

EPSS

Percentile

70.0%

JSON
Related for B8C4BDE78039C235DB5ABE09DBC6F1D98FBA33CF267BC6664D1BC3488188161A
osv8ibm49redhatcve5debiancve2veracode4nvd4ubuntucve2prion4cvelist4spring2cve4github4redhat22nessus15openvas7githubexploit1atlassian1f51fedora2oracle4