7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
6.4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
0.008 Low
EPSS
Percentile
81.0%
IBM Spectrum Protect Plus can be affected by vulnerabilities in Node.js, XStream, and Linux kernel. Vulnerabilities include causing a denial of service condition and HTTP request smuggling, as described by the CVEs in the “Vulnerability Details” section. These vulnerabilities have been addressed.
CVEID:CVE-2022-3106
**DESCRIPTION:**Linux Kernel is vulnerable to a denial of service, caused by the lacking check of return value of kmalloc() in ef100_update_stats in drivers/net/ethernet/sfc/ef100_nic.c. A local attacker could exploit this vulnerability to cause a null pointer dereference, leading to a denial of service.
CVSS Base score: 6.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/242226 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2022-3108
**DESCRIPTION:**Linux Kernel is vulnerable to a denial of service, caused by the lacking check of return value of kmemdup() in lkfd_parse_subtype_iolink in drivers/gpudrm/amd/amdkfd/kfd_crat.c . A local attacker could exploit this vulnerability to cause a null pointer dereference, leading to a denial of service.
CVSS Base score: 6.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/242225 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2022-40152
**DESCRIPTION:**XStream is vulnerable to a denial of service, caused by a stack-based buffer overflow. By sending a specially-crafted XML data, a remote authenticated attacker could exploit this vulnerability to causes the parser to crash, and results in a denial of service condition.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/236355 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2022-3105
**DESCRIPTION:**Linux Kernel is vulnerable to a denial of service, caused by the lacking check of return value of kmalloc_array() in uapi_finalize in drivers/infiniband/core/uverbs_uapi.c. A local attacker could exploit this vulnerability to cause a null pointer dereference, leading to a denial of service.
CVSS Base score: 6.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/242227 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2022-35256
**DESCRIPTION:**Node.js is vulnerable to HTTP request smuggling, caused by the failure to correctly handle header fields that are not terminated with CLRF by the llhttp parser in the http module. A remote attacker could send a specially-crafted request to lead to HTTP Request Smuggling (HRS). An attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/236964 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
CVEID:CVE-2022-3107
**DESCRIPTION:**Linux Kernel is vulnerable to a denial of service, caused by the lack of checking the return value of kvmalloc_array() in netvsc_get_ethtool_stats in drivers/net/hyperv/netvsc_drv.c l. A local attacker could exploit this vulnerability to cause a null pointer dereference, leading to a denial of service.
CVSS Base score: 6.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/242222 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
**IBM X-Force ID:**237508
**DESCRIPTION:**Node.js npm CLI module is vulnerable to a denial of service. By stripping the trailing slash from files
arguments and passing untrusted input into the tar.extract()
or tar.list()
array of entries to parse/extract, a remote attacker could exploit this vulnerability to cause a regular expression denial of service.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/237508 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
Affected Product(s) | Version(s) |
---|---|
IBM Storage Protect Plus Server | 10.1.0 - 10.1.14 |
IBM Spectrum Protect Plus Affected Versions | Fixing Level | Platform | Link to Fix and Instructions |
---|---|---|---|
10.1.0 - 10.1.14 | 10.1.15 | Linux |
<https://www.ibm.com/support/pages/node/6988945>
None
CPE | Name | Operator | Version |
---|---|---|---|
ibm spectrum protect plus | eq | 10.1 |
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
6.4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
0.008 Low
EPSS
Percentile
81.0%