Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBMD6677B366CD35E1B4F6DF838B54EFE8571FBCE9D92919BBCBB56A5A34A788F1B
HistoryJan 30, 2023 - 9:27 p.m.

Security Bulletin: Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak.

2023-01-3021:27:00
www.ibm.com
19

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

6.4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:P/A:N

0.002 Low

EPSS

Percentile

50.9%

JSON

Summary

Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak. Node.js follow-redirects is used by IBM Robotic Process Automation as part of API Server functionality (CVE-2022-0536). Madialize URI.js module for NPM is used by IBM Robotic Process Automation as part of API Server functionality (CVE-2022-0613). TrustCor is used by IBM Robotic Process Automation as part of Watson NLP (CVE-2022-23491). URI.js is used by IBM Robotic Process Automation as part of API Server functionality (CVE-2022-24723). Microsoft .NET Framework is used by IBM Robotic Process Automation as part of its underlying infrastructure and runtime (CVE-2022-41064). snakeYAML is used by IBM Robotic Process Automation as part of Abbyy, WebSphere Liberty, AntiVirus and Watson NLP (CVE-2022-41854). Python is used by IBM Robotic Process Automation as part of base container images, ClamAv, WebSphere Liberty and Watson NLP (CVE-2022-42919). This bulletin identifies the security fixes to apply to address these vulnerabilities.

Vulnerability Details

CVEID:CVE-2022-0536
**DESCRIPTION:**Node.js follow-redirects module could allow a remote authenticated attacker to obtain sensitive information, caused by a leakage of the Authorization header from the same hostname during HTTPS to HTTP redirection. By utilize man-in-the-middle attack techniques, an attacker could exploit this vulnerability to obtain Authorization header information, and use this information to launch further attacks against the affected system.
CVSS Base score: 2.6
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/219551 for the current score.
CVSS Vector: (CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N)

CVEID:CVE-2022-0613
**DESCRIPTION:**Medialize URI.js module for NPM could allow a remote attacker to bypass security restrictions, caused by improper input validation. By sending a specially-crafted request using case-insensitive protocol schemes, an attacker could exploit this vulnerability to bypass host validation or conduct open redirect and SSRF attacks.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/219774 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

CVEID:CVE-2022-23491
**DESCRIPTION:**An unspecified error in with TrustCor’s ownership also operated a business that produced spyware in Certifi has an unknown impact and attack vector.
CVSS Base score: 6.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/241627 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N)

CVEID:CVE-2022-24723
**DESCRIPTION:**URI.js could allow a remote attacker to bypass security restrictions, caused by improper input validation. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass protocol validation.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/220981 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2022-41064
**DESCRIPTION:**Microsoft .NET Framework could allow a remote authenticated attacker to obtain sensitive information. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CVSS Base score: 5.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/238854 for the current score.
CVSS Vector: (CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N)

CVEID:CVE-2022-41854
**DESCRIPTION:**snakeYAML is vulnerable to a denial of service, caused by improper input validation. By persuading a victim to open a specially-crafted YAML content, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/240890 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

CVEID:CVE-2022-42919
**DESCRIPTION:**Python on Linux could allow a local authenticated attacker to gain elevated privileges on the system, caused by the deserialization of pickles from any user in the same machine local network namespace. An attacker could exploit this vulnerability to gain privileges that any Python multiprocessing forkserver process is running as.
CVSS Base score: 7.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/240032 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Robotic Process Automation for Cloud Pak 21.0.1-21.0.7, 23.0.0

Remediation/Fixes

**IBM strongly recommends addressing the vulnerability now.**Product(s) **Version(s) number and/or range ** Remediation/Fix/Instructions
IBM Robotic Process Automation for Cloud Pak 21.0.1-21.0.7 Update to 21.0.7.1 or higher using the following instructions.
IBM Robotic Process Automation for Cloud Pak 23.0.0 Update to 23.0.1 or higher using the following instructions.

Workarounds and Mitigations

None.

Related

prion 7
huntr 1
osv 18
cve 7
cnvd 1
redhatcve 5
github 5
veracode 7
ubuntucve 7
mageia 1
openvas 29
mskb 18
ibm 21
mscve 1
redos 1
f5 1
nessus 32
amazon 4
fedora 15
cbl_mariner 3
debiancve 4
oraclelinux 2
alpinelinux 1
rocky 3
almalinux 2
redhat 2
ubuntu 1
prion
prion
Input validation
2022-03-03 21:15:00
Design/Logic Flaw
2022-12-07 22:15:00
Information disclosure
2022-11-09 22:15:00
huntr
huntr
Protocol/Hostname spoofing via Improper Input Validation
2022-02-27 02:50:37
osv
osv
CVE-2022-24723
2022-03-03 21:15:07
Leading white space bypasses protocol validation
2022-03-03 19:23:36
.NET Information Disclosure Vulnerability
2022-11-08 23:00:22
cve
cve
CVE-2022-24723
2022-03-03 21:15:00
CVE-2022-41064
2022-11-09 22:15:00
CVE-2022-41854
2022-11-11 13:15:00
cnvd
cnvd
Medialize URI.js Input Validation Error Vulnerability (CNVD-2022-19502)
2022-03-04 00:00:00
redhatcve
redhatcve
CVE-2022-24723
2022-03-09 16:57:45
CVE-2022-41854
2022-12-09 13:34:48
CVE-2022-23491
2023-03-20 17:43:03
github
github
Leading white space bypasses protocol validation
2022-03-03 19:23:36
.NET Information Disclosure Vulnerability
2022-11-08 23:00:22
Snakeyaml vulnerable to Stack overflow leading to denial of service
2022-11-11 19:00:31
veracode
veracode
Cross-site Scripting (XSS)
2022-03-04 04:13:53
Information Disclosure
2022-11-10 13:49:48
Improper Certification Validation
2022-12-08 13:48:48
ubuntucve
ubuntucve
CVE-2022-24723
2022-03-03 00:00:00
CVE-2022-41064
2022-11-09 00:00:00
CVE-2022-41854
2022-11-11 00:00:00
mageia
mageia
Updated python-certifi packages fix security vulnerability
2023-04-15 22:03:44
openvas
openvas
openSUSE: Security Advisory for python (SUSE-SU-2023:0139-1)
2024-03-04 00:00:00
Mageia: Security Advisory (MGASA-2023-0140)
2023-04-17 00:00:00
Fedora: Security Advisory for mingw-python-certifi (FEDORA-2023-bc1545f9bc)
2023-03-30 00:00:00
mskb
mskb
November 8, 2022-KB5020692 Cumulative Update for .NET Framework 3.5, 4.8 and 4.8.1 for Microsoft server operating system version 21H2
2022-11-08 08:00:00
November 8, 2022-Security Only Update for .NET Framework 4.6.2 for Windows Server 2008 SP2 (KB5020681)
2022-11-08 08:00:00
November 8, 2022-Security Only Update for .NET Framework 3.5.1, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8 for Windows 7 SP1 and Windows Server 2008 R2 SP1 (KB5020678)
2022-11-08 08:00:00
ibm
ibm
Security Bulletin: A vulnerability in Microsoft .NET Framework may affect IBM Robotic Process Automation and result in an exposure of sensitive information (CVE-2022-41064)
2023-03-08 20:18:19
Security Bulletin: A vulnerability in Microsoft .NET Framework may affect IBM Robotic Process Automation and result in an exposure of sensitive information (CVE-2022-41064)
2023-09-11 16:04:21
Security Bulletin: IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Certifi
2023-01-30 18:02:10
mscve
mscve
.NET Framework Information Disclosure Vulnerability
2022-11-08 08:00:00
redos
redos
ROS-20230619-03
2023-06-19 00:00:00
f5
f5
K000132764 : SSL Certificates in Mozilla vulnerability CVE-2022-23491
2023-02-27 00:00:00
nessus
nessus
Amazon Linux 2023 : python3-certifi (ALAS2023-2023-062)
2023-03-21 00:00:00
Amazon Linux AMI : ca-certificates (ALAS-2023-1690)
2023-02-23 00:00:00
Amazon Linux 2 : ca-certificates (ALAS-2023-1957)
2023-02-23 00:00:00
amazon
amazon
Important: ca-certificates
2023-02-17 00:12:00
Important: ca-certificates
2023-02-17 00:02:00
Important: ca-certificates
2023-08-03 20:16:00
fedora
fedora
[SECURITY] Fedora 36 Update: mingw-python-certifi-2022.12.7-1.fc36
2023-03-30 01:16:08
[SECURITY] Fedora 37 Update: mingw-python-certifi-2022.12.7-1.fc37
2023-03-30 01:21:30
[SECURITY] Fedora 38 Update: picocli-4.7.4-1.fc38
2023-07-06 02:19:58
cbl_mariner
cbl_mariner
CVE-2022-41854 affecting package snakeyaml 1.25-2
2024-05-04 21:06:47
CVE-2022-42919 affecting package python3 for versions less than 3.9.14-5
2022-12-19 20:12:40
CVE-2022-42919 affecting package python3 3.7.13-6
2023-06-13 20:02:41
debiancve
debiancve
CVE-2022-23491
2022-12-07 22:15:00
CVE-2022-41854
2022-11-11 13:15:00
CVE-2022-42919
2022-11-07 00:15:00
oraclelinux
oraclelinux
python39:3.9 security update
2022-11-22 00:00:00
python3.9 security update
2022-11-24 00:00:00
alpinelinux
alpinelinux
CVE-2022-42919
2022-11-07 00:15:00
rocky
rocky
python39:3.9 security update
2022-11-16 10:10:13
python3.9 security update
2022-11-16 10:26:42
.NET Core 3.1 on Rocky Linux 8 bugfix update
2022-04-18 13:16:19
almalinux
almalinux
Important: python3.9 security update
2022-11-16 00:00:00
Important: python39:3.9 security update
2022-11-16 00:00:00
redhat
redhat
(RHSA-2022:8493) Important: python3.9 security update
2022-11-16 10:26:42
(RHSA-2022:8492) Important: python39:3.9 security update
2022-11-16 10:10:13
ubuntu
ubuntu
Python vulnerability
2022-11-03 00:00:00

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

6.4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:P/A:N

0.002 Low

EPSS

Percentile

50.9%

JSON
Related for D6677B366CD35E1B4F6DF838B54EFE8571FBCE9D92919BBCBB56A5A34A788F1B
prion7huntr1osv18cve7cnvd1redhatcve5github5veracode7ubuntucve7mageia1openvas29mskb18ibm21mscve1redos1f51nessus32amazon4fedora15cbl_mariner3debiancve4oraclelinux2alpinelinux1rocky3almalinux2redhat2ubuntu1