IBMF1E13830189EF724267AE210258121182D99740D98A2D34B36F92619C8D706D7Security Bulletin: Multiple security vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak.
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.061 Low
EPSS
Percentile
93.6%
Summary
jQuery is used by IBM Robotic Process Automation for Cloud Pak as part of Abbyy (CVE-2015-9251, CVE-2019-11358, CVE-2020-11022, CVE-2020-11023, CVE-2020-23064). Kubernetes kube-apiserver is used by IBM Robotic Process Automation for Cloud Pak as part of the operator (CVE-2020-8552). Go (Go-Yaml, goproxy) is used by IBM Robotic Process Automation for Cloud Pak as part of the operator (CVE-2022-28948, CVE-2023-37788). Microsft .NET Core is used by IBM Robotic Process Automation as part of the runtime environment (CVE-2023-36799).
Vulnerability Details
CVEID:CVE-2015-9251
**DESCRIPTION:**jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/138029 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
CVEID:CVE-2019-11358
**DESCRIPTION:**jQuery, as used in Drupal core, is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to execute script in a victim’s Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/159633 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
CVEID:CVE-2020-8552
**DESCRIPTION:**Kubernetes kube-apiserver is vulnerable to a denial of service, caused by improper input validation. By sending a specially-crafted resource request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/178254 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID:CVE-2020-11022
**DESCRIPTION:**jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the jQuery.htmlPrefilter method. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/181349 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
CVEID:CVE-2020-11023
**DESCRIPTION:**jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the option elements. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/181350 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
CVEID:CVE-2020-23064
**DESCRIPTION:**jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the element. A remote attacker could exploit this vulnerability using a specially crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/259074 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
CVEID:CVE-2022-28948
**DESCRIPTION:**Go-Yaml is vulnerable to a denial of service, caused by a flaw in the Unmarshal function. By sending a specially-crafted input, a remote attacker could exploit this vulnerability to cause the program to crash.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/226978 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID:CVE-2023-36799
**DESCRIPTION:**Microsoft .NET Core and Visual Studio is vulnerable to a denial of service. By persuading a victim to open a specially crafted content, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/265556 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
CVEID:CVE-2023-37788
**DESCRIPTION:**goproxy is vulnerable to a denial of service, caused by improper input validation. By sending a specially crafted HTTP request to HTTPS page replaced path the “/” with asterix “*”, a remote attacker could exploit this vulnerability to cause goproxy server to crash.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/261155 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Affected Products and Versions
All CVE’s except CVE-2023-37788:
| Affected Product(s) | Version(s) |
|---|---|
| IBM Robotic Process Automation for Cloud Pak | 21.0.0 - 21.0.7.9, 23.0.0 - 23.0.9 |
CVE-2023-37788:
| Affected Product(s) | Version(s) |
|---|---|
| IBM Robotic Process Automation for Cloud Pak | 21.0.0 - 21.0.7.9, 23.0.0 - 23.0.10 |
Remediation/Fixes
IBM strongly recommends addressing the vulnerability now.
All CVE’s except CVE-2023-37788:
| Product(s) | **Version(s) number and/or range ** | Remediation/Fix/Instructions |
|---|---|---|
| IBM Robotic Process Automation for Cloud Pak | 21.0.0 - 21.0.7.9 | Update to 21.0.7.10 or higher using the following instructions. |
IBM Robotic Process Automation for Cloud Pak
| 23.0.0 - 23.0.9| Update to 23.0.10 or higher using the following instructions.
CVE-2023-37788:
| Product(s) | **Version(s) number and/or range ** | Remediation/Fix/Instructions |
|---|---|---|
| IBM Robotic Process Automation for Cloud Pak | 21.0.0 - 21.0.7.9 | Update to 21.0.7.10 or higher using the following instructions. |
IBM Robotic Process Automation for Cloud Pak
| 23.0.0 - 23.0.10| Update to 23.0.11 or higher using the following instructions.
Workarounds and Mitigations
None
Affected configurations
Related
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.061 Low
EPSS
Percentile
93.6%