CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
Go Git is used by IBM Storage Ceph in Grafana for Metrics. This bulletin identifies the steps to take to address the vulnerability in Grafana. (CVE-2023-49568, CVE-2023-49569)
CVEID:CVE-2023-49568
**DESCRIPTION:**go-git is vulnerable to a denial of service, caused by improper input validation. By sending a specially crafted responses from a Git server, a remote attacker could exploit this vulnerability to trigger resource exhaustion in go-git clients, and results in a denial of service conditoin.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/279389 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2023-49569
**DESCRIPTION:**go-git could allow a remote attacker to traverse directories on the system. By sending a specially crafted request using the ChrootOS <https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#ChrootOS>, an attacker could exploit this vulnerability to create and amend files across the filesystem and possibly execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/279932 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Affected Product(s) | Version(s) |
---|---|
IBM Storage Ceph | 7.0-7.0z2 |
IBM Storage Ceph | 6.0, 6.1-6.1z6 |
IBM Storage Ceph | 5.3-5.3z6 |
IBM Storage Ceph does not use ChrootOS, and thus is not vulnerable. The affected code has been removed in the latest version of grafana, and updated accordingly in IBM Storage Ceph.
IBM strongly recommends addressing the vulnerability now.
Download the latest version of IBM Storage Ceph and upgrade to 7.1 by following instructions.
<https://public.dhe.ibm.com/ibmdl/export/pub/storage/ceph/>
<https://www.ibm.com/docs/en/storage-ceph/7?topic=upgrading>
None
Vendor | Product | Version | CPE |
---|---|---|---|
ibm | storage_ceph | 7.0 | cpe:2.3:a:ibm:storage_ceph:7.0:*:*:*:*:*:*:* |
ibm | storage_ceph | 2 | cpe:2.3:a:ibm:storage_ceph:2:*:*:*:*:*:*:* |
ibm | storage_ceph | 6.0 | cpe:2.3:a:ibm:storage_ceph:6.0:*:*:*:*:*:*:* |
ibm | storage_ceph | 6.1 | cpe:2.3:a:ibm:storage_ceph:6.1:*:*:*:*:*:*:* |
ibm | storage_ceph | 6 | cpe:2.3:a:ibm:storage_ceph:6:*:*:*:*:*:*:* |
ibm | storage_ceph | 5.3 | cpe:2.3:a:ibm:storage_ceph:5.3:*:*:*:*:*:*:* |
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High