Lucene search

K
ibmIBMD71F903EC9EE20A4A8C2DCFB2E21D38954D4598BFB4CF4FB467C4DD0050F0624
HistoryJul 19, 2021 - 12:06 p.m.

Security Bulletin: Vulnerabilities in Python affect OS Image for RedHat bundled with Cloud Pak System

2021-07-1912:06:52
www.ibm.com
19
python
vulnerabilities
os image
red hat
ibm cloud pak system
cross-site scripting

EPSS

0.002

Percentile

59.2%

Summary

Vulnerabilities in Open Source Python affect OS Image Red Hat bundled with IBM Cloud Pak System. OS Image Red Hat addressed applicable CVEs.

Vulnerability Details

CVEID:CVE-2019-16935
**DESCRIPTION:**Python is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the python/Lib/DocXMLRPCServer.py. A remote attacker could exploit this vulnerability using the server_title field to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/168612 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Cloud Pak System v2.3.0.1, v2.3.1.1, v.2.3.2.0
IBM Cloud Pak System v2.3.3.0, v2.3.3.1, v.2.3.3.2, v.2.3.3.3

Remediation/Fixes

If you are using an earlier unsupported release, IBM strongly recommends that you upgrade.

Cloud Pak System update python v2.7.17 with IBM OS Image for Red Hat Linux Systems (RHEL 7.9) 3.1.3.0 related OS packages python-2.7.5-90*.

For Cloud Pak System v2.3.0.1, v2.3.1.1, v.2.3.2.0, v2.3.3.0, v2.3.3.1, v.2.3.3.2,

upgrade to Cloud Pak System v2.3.3.3 and apply Cloud Pak System v2.3.3.3 Interim Fix 1 at Fix Central.

For Cloud Pak System v.2.3.3.3

apply Cloud Pak System v2.3.3.3 Interim Fix 1 at Fix Central.

Information on upgrading at : <http://www.ibm.com/support/docview.wss?uid=ibm10887959&gt;

Workarounds and Mitigations

None