Lucene search

K
ibmIBME9D6A0672F1F0D9C2E1A361470DB9C3E4197588832F7917CEB15AE7BD52C3F33
HistoryFeb 22, 2024 - 1:15 p.m.

Security Bulletin: Rational Service Tester contains vulnerabilities which could affect Eclipse Jetty

2024-02-2213:15:04
www.ibm.com
14
rational service tester
eclipse jetty
vulnerability
access restrictions
authentication
command quoting
security
upgrade
version 11.0.0

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

AI Score

7.7

Confidence

Low

EPSS

0.001

Percentile

29.8%

Summary

Due to the use of Eclipse Jetty, Rational Service Tester contains a vulnerability around authentication validation that could allow bypassing access restrictions (CVE-2023-41900) and a vulnerability around command quoting that could allow further attacks on the system (CVE-2023-36479).

Vulnerability Details

CVEID:CVE-2023-41900
**DESCRIPTION:**Eclipse Jetty could allow a remote authenticated attacker to bypass security restrictions, caused by improper authentication validation when using the optional nested LoginService. By sending a specially crafted request, an attacker could exploit this vulnerability to bypass access restrictions.
CVSS Base score: 3.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/266185 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N)

CVEID:CVE-2023-36479
**DESCRIPTION:**Eclipse Jetty could provide weaker than expected security, caused by an errant command quoting flaw in the org.eclipse.jetty.servlets.CGI Servlet. A remote authenticated attacker could exploit this vulnerability to launch further attacks on the system.
CVSS Base score: 3.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/266435 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
RST 10.0
RST 10.1
RST 10.2

Remediation/Fixes

Customers are strongly encouraged to upgrade to Rational Service Tester version 11.0.0.

<https://www.ibm.com/support/pages/node/7094942&gt;

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmrational_service_testerMatch10.2
OR
ibmrational_service_testerMatch10.1
OR
ibmrational_service_testerMatch10.0

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

AI Score

7.7

Confidence

Low

EPSS

0.001

Percentile

29.8%