Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBME1A334EAF2CC75BCF6512F5A59FDD7843821257B473DFC33173DB52BF1A3CDDF
HistoryDec 06, 2023 - 4:30 p.m.

Security Bulletin: IBM Cloud Transformation Advisor is vulnerable to multiple vulnerabilities

2023-12-0616:30:24
www.ibm.com
4
ibm cloud transformation advisor
java
node.js
security vulnerabilities
cveid
confidentiality impacts
integrity impacts
bypass security restrictions
path traversal bypass
code injection flaw
binary planting vulnerability

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

8.4 High

AI Score

Confidence

High

0.732 High

EPSS

Percentile

98.1%

JSON

Summary

IBM Cloud Transformation Advisor has addressed multiple Java and Node.js security vulnerabilities listed herein.

Vulnerability Details

CVEID:CVE-2023-22045
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause low confidentiality impacts.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/261047 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID:CVE-2023-22049
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Libraries component could allow a remote attacker to cause low integrity impacts.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/261048 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2023-38552
**DESCRIPTION:**Node.js could allow a remote attacker to bypass security restrictions, caused by the circumvention of integrity checks by the policy feature. By sending a specially crafted request, an attacker could exploit this vulnerability to bypass the experimental permission model.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/268789 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2023-39331
**DESCRIPTION:**Node.js could allow a remote attacker to bypass security restrictions, caused by a path traversal bypass when verifying file permissions. By sending a specially crafted request, an attacker could exploit this vulnerability to bypass the experimental permission model.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/268787 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

CVEID:CVE-2023-39332
**DESCRIPTION:**Node.js could allow a remote attacker to bypass security restrictions, caused by a path traversal bypass using non-Buffer Uint8Array objects. By sending a specially crafted request, an attacker could exploit this vulnerability to bypass the experimental permission model.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/268788 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

CVEID:CVE-2023-39333
**DESCRIPTION:**Node.js could allow a remote attacker to gain unauthorized access to the system, caused by a code injection flaw. By using specially crafted export names in an imported WebAssembly module, an attacker could exploit this vulnerability to inject JavaScript code and gain access to restricted data and functions.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/268790 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID:CVE-2023-44487
**DESCRIPTION:**Multiple vendors are vulnerable to a denial of service, caused by a flaw in handling multiplexed streams in the HTTP/2 protocol. By sending numerous HTTP/2 requests and RST_STREAM frames over multiple streams, a remote attacker could exploit this vulnerability to cause a denial of service due to server resource consumption.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/268044 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Cloud Transformation Advisor 2.0.1 - 3.7.1

Remediation/Fixes

Product(s) Version(s) Remediation/Fix/Instructions
IBM Cloud Transformation Advisor 2.0.1 - 3.7.1 Install v3.8.0 from OperatorHub page in Red Hat OpenShift Container Platform or locally following this link.

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmcloud_transformation_advisorMatch3.
CPENameOperatorVersion
ibm cloud transformation advisoreq3.

Related

ibm 43
redhat 13
openvas 23
fedora 6
osv 11
oraclelinux 6
nessus 52
almalinux 5
rocky 3
photon 1
nodejsblog 1
f5 1
mageia 1
cloudlinux 1
debiancve 3
nvd 2
redhatcve 3
alpinelinux 3
veracode 5
cvelist 2
wolfi 3
cgr 3
hackerone 3
ubuntucve 2
prion 1
cve 1
cbl_mariner 1
ibm
ibm
Security Bulletin: Multiple vulnerabilities present in IBM Answer Retrieval for Watson Discovery versions 2.14 and earlier
2024-01-19 18:15:17
Security Bulletin: Multiple vulnerabilities in IBM SDK for Node.js and packaged modules affect IBM Business Automation Workflow Configuration Editor
2024-01-17 07:30:23
Security Bulletin: IBM Spectrum Control is vulnerable to multiple weaknesses related to Node.js
2023-12-11 10:00:07
redhat
redhat
(RHSA-2023:7205) Important: nodejs:20 security update
2023-11-14 16:23:42
(RHSA-2023:5849) Important: nodejs:18 security update
2023-10-18 15:11:16
(RHSA-2023:5869) Important: nodejs:18 security update
2023-10-18 22:01:20
openvas
openvas
Fedora: Security Advisory for nodejs20 (FEDORA-2023-7b52921cae)
2023-11-05 00:00:00
Node.js 18.x < 18.18.2, 20.x < 20.8.1 Multiple Vulnerabilities - Mac OS X
2023-10-12 00:00:00
Fedora: Security Advisory for nodejs20 (FEDORA-2023-4d2fd884ea)
2023-10-28 00:00:00
fedora
fedora
[SECURITY] Fedora 38 Update: nodejs20-20.8.1-1.fc38
2023-10-26 01:51:49
[SECURITY] Fedora 39 Update: nodejs20-20.8.1-1.fc39
2023-11-03 18:59:18
[SECURITY] Fedora 37 Update: nodejs20-20.8.1-1.fc37
2023-10-26 01:35:05
osv
osv
Important: nodejs:20 security update
2023-11-14 00:00:00
Important: nodejs:20 security update
2023-11-28 22:43:02
Important: nodejs:18 security update
2023-10-18 00:00:00
oraclelinux
oraclelinux
nodejs:20 security update
2023-11-22 00:00:00
18 security update
2023-10-20 00:00:00
nodejs:18 security update
2023-10-23 00:00:00
nessus
nessus
RHEL 8 : nodejs:20 (RHSA-2023:7205)
2023-11-14 00:00:00
Fedora 38 : nodejs20 (2023-4d2fd884ea)
2023-10-26 00:00:00
Rocky Linux 8 : nodejs:20 (RLSA-2023:7205)
2023-11-28 00:00:00
almalinux
almalinux
Important: nodejs:20 security update
2023-11-14 00:00:00
Important: nodejs:18 security update
2023-10-18 00:00:00
Important: nodejs:18 security update
2023-10-18 00:00:00
rocky
rocky
nodejs:20 security update
2023-11-28 22:43:02
java-1.8.0-openjdk security and bug fix update
2023-08-08 12:34:39
java-1.8.0-openjdk security and bug fix update
2023-08-08 12:34:57
photon
photon
Critical Photon OS Security Update - PHSA-2023-5.0-0132
2023-11-01 00:00:00
nodejsblog
nodejsblog
Friday October 13 2023 Security Releases
2023-10-13 00:00:00
f5
f5
K000137330 : Node.JS vulnerabilities CVE-2023-38552, CVE-2023-39331, CVE-2023-39332, and CVE-2023-3933
2023-10-24 00:00:00
mageia
mageia
Updated nodejs packages fix security vulnerabilities
2023-10-23 00:04:51
cloudlinux
cloudlinux
java-1.8.0-openjdk: Fix of 2 CVEs
2023-08-03 16:57:30
debiancve
debiancve
CVE-2023-39333
2023-10-18 16:19:41
CVE-2023-38552
2023-10-18 04:15:11
CVE-2023-22045
2023-07-18 21:15:14
nvd
nvd
CVE-2023-38552
2023-10-18 04:15:11
CVE-2023-22045
2023-07-18 21:15:14
redhatcve
redhatcve
CVE-2023-38552
2023-10-16 16:49:23
CVE-2023-39333
2023-10-16 16:50:07
CVE-2023-22045
2023-07-19 13:43:53
alpinelinux
alpinelinux
CVE-2023-39333
2023-10-18 16:19:41
CVE-2023-38552
2023-10-18 04:15:11
CVE-2023-22045
2023-07-18 21:15:14
veracode
veracode
Cross Site Scripting (XSS)
2023-11-29 10:20:34
Policy Bypass
2023-11-28 07:35:03
Path Traversal
2023-11-30 21:30:47
cvelist
cvelist
CVE-2023-38552
2023-10-18 03:55:18
CVE-2023-22045
2023-07-18 20:18:28
wolfi
wolfi
CVE-2023-39332 vulnerabilities
2024-06-28 09:08:32
CVE-2023-39331 vulnerabilities
2024-06-28 09:08:32
CVE-2023-38552 vulnerabilities
2024-06-28 09:08:32
cgr
cgr
CVE-2023-39331 vulnerabilities
2024-05-19 03:07:16
CVE-2023-39332 vulnerabilities
2024-05-19 03:07:16
CVE-2023-38552 vulnerabilities
2024-05-19 03:07:16
hackerone
hackerone
Node.js: Integrity checks according to policies can be circumvented
2023-08-02 22:05:07
Internet Bug Bounty: Integrity checks according to policies can be circumvented in Node.js 20 and Node.js 18
2023-10-14 00:08:47
Internet Bug Bounty: Path traversal by monkey-patching Buffer internals
2024-03-26 14:50:28
ubuntucve
ubuntucve
CVE-2023-38552
2023-10-18 00:00:00
CVE-2023-39333
2023-10-23 00:00:00
prion
prion
Design/Logic Flaw
2023-10-18 04:15:00
cve
cve
CVE-2023-38552
2023-10-18 04:15:11
cbl_mariner
cbl_mariner
CVE-2023-38552 affecting package nodejs18 for versions less than 18.18.2-2
2023-11-08 02:07:28

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

8.4 High

AI Score

Confidence

High

0.732 High

EPSS

Percentile

98.1%

JSON
Related for E1A334EAF2CC75BCF6512F5A59FDD7843821257B473DFC33173DB52BF1A3CDDF
ibm43redhat13openvas23fedora6osv11oraclelinux6nessus52almalinux5rocky3photon1nodejsblog1f51mageia1cloudlinux1debiancve3nvd2redhatcve3alpinelinux3veracode5cvelist2wolfi3cgr3hackerone3ubuntucve2prion1cve1cbl_mariner1