Lucene search

IBME65CBAD5AAEA458AE10AC2016C3498C27C81BFB7B6C6520512D5C43F431E46AA

HistoryAug 31, 2023 - 2:39 p.m.

Security Bulletin: A vulnerability in MicrosoftAspNetCore.Identity affects IBM Robotic Process Automation and may result in allowing an attacker to bypass secrity restrictions (CVE-2023-33170).

2023-08-3114:39:23

www.ibm.com

microsoftaspnetcore.identity

ibm robotic process automation

security restrictions

vulnerability

cve-2023-33170

race condition

confidentiality

integrity

availability

cvss base

cvss temporal

remote attacker

ibm

sharepoint server

robotic process automation

cloud pak

remediation

instructions

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

45.8%

JSON

Summary

Microsoft.AspNetCore.Identity is used by IBM Robotic Process Automation as part of login functionality. (CVE-2023-33170)

Vulnerability Details

CVEID:CVE-2023-33170
**DESCRIPTION:**Microsoft SharePoint Server could allow a remote attacker to bypass security restrictions. By winning a race condition, an attacker could exploit this vulnerability to bypass security feature to cause impact on confidentiality, integrity and Availability.
CVSS Base score: 8.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/259512 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Robotic Process Automation	21.0.0 - 21.0.7.7, 23.0.0 - 23.0.8
IBM Robotic Process Automation for Cloud Pak	21.0.0 - 21.0.7.7, 23.0.0 - 23.0.8

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now.

Product(s)	Version(s) number and/or range	Remediation/Fix/Instructions
IBM Robotic Process Automation	21.0.0 - 21.0.7.7	Download 21.0.7.8 or higher and follow these instructions.
IBM Robotic Process Automation for Cloud Pak	21.0.0 - 21.0.7.7	Update to 21.0.7.8 or higher using the following instructions.
IBM Robotic Process Automation	23.0.0 - 23.0.8	Download 23.0.9 or higher and follow these instructions.

IBM Robotic Process Automation for Cloud Pak

| 23.0.0 - 23.0.8| Update to 23.0.9 or higher using the following instructions.

Workarounds and Mitigations

None.

Affected configurations

Vulners

Node

ibmrobotic_process_automationMatch21.0.0

ibmrobotic_process_automationMatch21.0.7.7

ibmrobotic_process_automationMatch23.0.0

ibmrobotic_process_automationMatch23.0.8

CPENameOperatorVersion
ibm robotic process automationeq21.0.0
ibm robotic process automationeq21.0.7.7
ibm robotic process automationeq23.0.0
ibm robotic process automationeq23.0.8

Name	Operator	Version
ibm robotic process automation	eq	21.0.0
ibm robotic process automation	eq	21.0.7.7
ibm robotic process automation	eq	23.0.0
ibm robotic process automation	eq	23.0.8