IBM Cloud Pak for Security includes components with known vulnerabilities. These have been updated in the latest release and vulnerabilities have been addressed. Please follow the instructions in the Remediation/Fixes section below to update to the latest version of Cloud Pak for Security (CP4S).
CVEID:CVE-2022-23491
**DESCRIPTION:**An unspecified error in with TrustCor’s ownership also operated a business that produced spyware in Certifi has an unknown impact and attack vector.
CVSS Base score: 6.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/241627 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N)
CVEID:CVE-2023-28859
**DESCRIPTION:**Redis redis-py could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw with leaving a connection open after canceling an async Redis command at an inopportune time. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/251077 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
CVEID:CVE-2023-28858
**DESCRIPTION:**Redis redis-py could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw with leaving a connection open after canceling an async Redis command at an inopportune time. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/251076 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
CVEID:CVE-2023-22578
**DESCRIPTION:**Sequelize is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database.
CVSS Base score: 10
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/247784 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
CVEID:CVE-2023-22579
**DESCRIPTION:**Sequelize could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a type confusion flaw. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/247785 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
CVEID:CVE-2023-22580
**DESCRIPTION:**Tiki Wiki CMS Groupware could allow a remote attacker to execute arbitrary code on the system, caused by a flaw in the /lib/sheet/grid.php script. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/249160 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
**IBM X-Force ID:**221376
**DESCRIPTION:**Springfox could allow a remote authenticated attacker to bypass security restrictions, caused by a log injection flaw in io.springfox:springfox-swagger-ui. By sending a specially-crafted request, an attacker could exploit this vulnerability to forge log entries or inject malicious content into the logs.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/221376 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)
Affected Product(s) | Version(s) |
---|---|
Cloud Pak for Security (CP4S) | 1.10.0.0 - 1.10.10.0 |
IBM encourages customers to update their systems promptly.
Please upgrade to at least CP4S 1.10.11.0 following these instructions: <https://www.ibm.com/docs/en/cloud-paks/cp-security/1.10?topic=installing-upgrading-cloud-pak-security>
None
CPE | Name | Operator | Version |
---|---|---|---|
ibm cloud pak for security | eq | 1.10 |