Lucene search

K
ibmIBME65CBAD5AAEA458AE10AC2016C3498C27C81BFB7B6C6520512D5C43F431E46AA
HistoryAug 31, 2023 - 2:39 p.m.

Security Bulletin: A vulnerability in MicrosoftAspNetCore.Identity affects IBM Robotic Process Automation and may result in allowing an attacker to bypass secrity restrictions (CVE-2023-33170).

2023-08-3114:39:23
www.ibm.com
23
microsoftaspnetcore.identity
ibm robotic process automation
security restrictions
vulnerability
cve-2023-33170
race condition
confidentiality
integrity
availability
cvss base
cvss temporal
remote attacker
ibm
sharepoint server
robotic process automation
cloud pak
remediation
instructions

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

45.7%

Summary

Microsoft.AspNetCore.Identity is used by IBM Robotic Process Automation as part of login functionality. (CVE-2023-33170)

Vulnerability Details

CVEID:CVE-2023-33170
**DESCRIPTION:**Microsoft SharePoint Server could allow a remote attacker to bypass security restrictions. By winning a race condition, an attacker could exploit this vulnerability to bypass security feature to cause impact on confidentiality, integrity and Availability.
CVSS Base score: 8.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/259512 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Robotic Process Automation 21.0.0 - 21.0.7.7, 23.0.0 - 23.0.8
IBM Robotic Process Automation for Cloud Pak 21.0.0 - 21.0.7.7, 23.0.0 - 23.0.8

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now.

Product(s) **Version(s) number and/or range ** Remediation/Fix/Instructions
IBM Robotic Process Automation 21.0.0 - 21.0.7.7 Download 21.0.7.8 or higher and follow these instructions.
IBM Robotic Process Automation for Cloud Pak 21.0.0 - 21.0.7.7 Update to 21.0.7.8 or higher using the following instructions.
IBM Robotic Process Automation 23.0.0 - 23.0.8 Download 23.0.9 or higher and follow these instructions.

IBM Robotic Process Automation for Cloud Pak

| 23.0.0 - 23.0.8| Update to 23.0.9 or higher using the following instructions.

Workarounds and Mitigations

None.

Affected configurations

Vulners
Node
ibmrobotic_process_automationMatch21.0.0
OR
ibmrobotic_process_automationMatch21.0.7.7
OR
ibmrobotic_process_automationMatch23.0.0
OR
ibmrobotic_process_automationMatch23.0.8

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

45.7%