Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBME04AC91E8FB9BE70EE665F981F630B364C95C7CC544373C0B25EB82E264509D2
HistoryJun 16, 2023 - 3:19 p.m.

Security Bulletin: IBM Cloud Pak for Security includes components with multiple known vulnerabilities

2023-06-1615:19:39
www.ibm.com
8
ibm cloud pak for security
vulnerabilities
update
remediation
cveid
trustcor
redis
redis-py
sequelieze
sql injection
tiki wiki
cms groupware

0.002 Low

EPSS

Percentile

51.3%

JSON

Summary

IBM Cloud Pak for Security includes components with known vulnerabilities. These have been updated in the latest release and vulnerabilities have been addressed. Please follow the instructions in the Remediation/Fixes section below to update to the latest version of Cloud Pak for Security (CP4S).

Vulnerability Details

CVEID:CVE-2022-23491
**DESCRIPTION:**An unspecified error in with TrustCor’s ownership also operated a business that produced spyware in Certifi has an unknown impact and attack vector.
CVSS Base score: 6.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/241627 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N)

CVEID:CVE-2023-28859
**DESCRIPTION:**Redis redis-py could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw with leaving a connection open after canceling an async Redis command at an inopportune time. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/251077 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

CVEID:CVE-2023-28858
**DESCRIPTION:**Redis redis-py could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw with leaving a connection open after canceling an async Redis command at an inopportune time. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/251076 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

CVEID:CVE-2023-22578
**DESCRIPTION:**Sequelize is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database.
CVSS Base score: 10
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/247784 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

CVEID:CVE-2023-22579
**DESCRIPTION:**Sequelize could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a type confusion flaw. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/247785 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)

CVEID:CVE-2023-22580
**DESCRIPTION:**Tiki Wiki CMS Groupware could allow a remote attacker to execute arbitrary code on the system, caused by a flaw in the /lib/sheet/grid.php script. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/249160 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

**IBM X-Force ID:**221376
**DESCRIPTION:**Springfox could allow a remote authenticated attacker to bypass security restrictions, caused by a log injection flaw in io.springfox:springfox-swagger-ui. By sending a specially-crafted request, an attacker could exploit this vulnerability to forge log entries or inject malicious content into the logs.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/221376 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
Cloud Pak for Security (CP4S) 1.10.0.0 - 1.10.10.0

Remediation/Fixes

IBM encourages customers to update their systems promptly.

Please upgrade to at least CP4S 1.10.11.0 following these instructions: <https://www.ibm.com/docs/en/cloud-paks/cp-security/1.10?topic=installing-upgrading-cloud-pak-security&gt;

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm cloud pak for securityeq1.10

Related

prion 6
github 6
freebsd 2
osv 14
alpinelinux 2
debiancve 3
cve 6
nessus 20
redos 2
cvelist 6
ubuntucve 3
veracode 6
redhatcve 3
githubexploit 1
f5 1
ibm 23
fedora 3
amazon 4
mageia 1
openvas 12
zdt 1
packetstorm 1
photon 3
oracle 4
prion
prion
Design/Logic Flaw
2023-03-26 19:15:00
Input validation
2023-02-16 15:15:00
Input validation
2023-02-16 15:15:00
github
github
redis-py Race Condition due to incomplete fix
2023-03-26 21:30:23
redis-py Race Condition vulnerability
2023-03-26 21:30:23
Sequelize information disclosure vulnerability
2023-02-16 15:30:28
freebsd
freebsd
py39-redis -- can send response data to the client of an unrelated request
2023-03-26 00:00:00
py39-redis -- can send response data to the client of an unrelated request
2023-03-26 00:00:00
osv
osv
PYSEC-2023-45
2023-03-26 19:15:00
CVE-2023-28858
2023-03-26 19:15:06
redis-py Race Condition due to incomplete fix
2023-03-26 21:30:23
alpinelinux
alpinelinux
CVE-2023-28858
2023-03-26 19:15:06
CVE-2023-28859
2023-03-26 19:15:06
debiancve
debiancve
CVE-2023-28858
2023-03-26 19:15:06
CVE-2023-28859
2023-03-26 19:15:06
CVE-2022-23491
2022-12-07 22:15:00
cve
cve
CVE-2023-28858
2023-03-26 19:15:06
CVE-2023-22580
2023-02-16 15:15:18
CVE-2023-22579
2023-02-16 15:15:18
nessus
nessus
FreeBSD : py39-redis -- can send response data to the client of an unrelated request (3f6d6181-79b2-4d33-bb1e-5d3f9df0c1d1)
2023-04-14 00:00:00
SUSE SLED15 / SLES15 / openSUSE 15 Security Update : python-arcomplete, python-Fabric, python-PyGithub, python-antlr4-python3-runtime, python-avro, python-chardet, python-distro, python-docker, python-fakeredis, python-fixedint, python-httplib2, python-httpretty, python-javaproperties, python-jsondiff, python-knack, python-marshmallow, python-opencensus, python-opencensus-context, python-opencensus-ext-threading, python-opentelemetry-api, python-opentelemetry-sdk, python-opentelemetry-semantic-conventions, python-opentelemetry-test-utils, python-pycomposefile, python-pydash, python-redis, python-retrying, python-semver, python-sshtunnel, python-strictyaml, python-sure, python-vcrpy, python-xmltodict (SUSE-SU-2024:1639-1)
2024-05-15 00:00:00
Amazon Linux AMI : ca-certificates (ALAS-2023-1690)
2023-02-23 00:00:00
redos
redos
ROS-20230620-07
2023-06-20 00:00:00
ROS-20230619-03
2023-06-19 00:00:00
cvelist
cvelist
CVE-2023-28858
2023-03-26 00:00:00
CVE-2023-22578 Sequalize - Default support for “raw attributes” when using parentheses
2023-02-16 14:11:36
CVE-2023-22580 Sequalize - Bad query filtering leading to SQL errors
2023-02-16 14:11:35
ubuntucve
ubuntucve
CVE-2023-28858
2023-03-26 00:00:00
CVE-2023-28859
2023-03-26 00:00:00
CVE-2022-23491
2022-12-07 00:00:00
veracode
veracode
Race Condition
2023-03-28 02:50:08
SQL Injection
2023-02-17 06:27:05
Information Disclosure
2023-02-18 19:44:02
redhatcve
redhatcve
CVE-2023-28858
2023-03-27 12:43:38
CVE-2023-28859
2023-03-27 12:43:36
CVE-2022-23491
2023-03-20 17:43:03
githubexploit
githubexploit
Exploit for Off-by-one Error in Redis Redis-Py
2023-03-26 22:03:57
f5
f5
K000132764 : SSL Certificates in Mozilla vulnerability CVE-2022-23491
2023-02-27 00:00:00
ibm
ibm
Security Bulletin: A vulnerability in Certifi package may affect IBM Storage Scale (CVE-2022-23491)
2023-06-14 12:30:28
Security Bulletin: IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Certifi
2023-01-30 18:02:10
Security Bulletin: Certifi component is vulnerable to CVE-2022-23491 used by IBM Maximo Application Suite
2023-08-08 20:43:37
fedora
fedora
[SECURITY] Fedora 36 Update: mingw-python-certifi-2022.12.7-1.fc36
2023-03-30 01:16:08
[SECURITY] Fedora 38 Update: mingw-python-certifi-2022.12.7-1.fc38
2023-03-30 00:23:13
[SECURITY] Fedora 37 Update: mingw-python-certifi-2022.12.7-1.fc37
2023-03-30 01:21:30
amazon
amazon
Important: ca-certificates
2023-02-17 00:12:00
Important: ca-certificates
2023-02-17 00:02:00
Important: ca-certificates
2023-08-03 18:35:00
mageia
mageia
Updated python-certifi packages fix security vulnerability
2023-04-15 22:03:44
openvas
openvas
Check MK 1.6.x < 2.2.0b1, 2.3.x < 2.3.0b1 Certification Validation Vulnerability
2023-03-06 00:00:00
Mageia: Security Advisory (MGASA-2023-0140)
2023-04-17 00:00:00
Fedora: Security Advisory for mingw-python-certifi (FEDORA-2023-bc1545f9bc)
2023-03-30 00:00:00
zdt
zdt
Tiki Wiki CMS Groupware 24.0 grid.php PHP Object Injection Vulnerability
2023-01-10 00:00:00
packetstorm
packetstorm
Tiki Wiki CMS Groupware 24.0 grid.php PHP Object Injection
2023-01-10 00:00:00
photon
photon
Critical Photon OS Security Update - PHSA-2023-3.0-0704
2023-12-26 00:00:00
Critical Photon OS Security Update - PHSA-2023-5.0-0179
2023-12-24 00:00:00
Critical Photon OS Security Update - PHSA-2023-4.0-0534
2023-12-24 00:00:00
oracle
oracle
Oracle Critical Patch Update Advisory - October 2023
2023-10-17 00:00:00
Oracle Critical Patch Update Advisory - July 2023
2023-07-18 00:00:00
Oracle Critical Patch Update Advisory - April 2024
2024-04-16 00:00:00

0.002 Low

EPSS

Percentile

51.3%

JSON
Related for E04AC91E8FB9BE70EE665F981F630B364C95C7CC544373C0B25EB82E264509D2
prion6github6freebsd2osv14alpinelinux2debiancve3cve6nessus20redos2cvelist6ubuntucve3veracode6redhatcve3githubexploit1f51ibm23fedora3amazon4mageia1openvas12zdt1packetstorm1photon3oracle4