Security Bulletin: IBM Security Guardium is affected by Using Components with Known Vulnerabilities [CVE-2018-8909, CVE-2021-41100 and CVE-2021-41119]

Summary

IBM Security Guardium has fixed these vulnerabilities

Vulnerability Details

CVEID:CVE-2018-8909
**DESCRIPTION:**Wire App for Android could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing “dot dot” sequences (/…/) in a filename of a received file, related to AssetService.scala to write to pathnames outside of the downloads directory.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/140624 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2021-41100
**DESCRIPTION:**Wire wire-server could allow a remote attacker to bypass security restrictions, caused by improper session management for the short lived token. By changing the email address, an attacker could exploit this vulnerability to takeover the user account.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/210610 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2021-41119
**DESCRIPTION:**Wire-server is vulnerable to a denial of service, caused by a hash collision. By using a specially crafted object, a remote attacker could exploit this vulnerability to cause a heavy load to the server, resulting in a denial of service.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/224852 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

Remediation/Fixes

IBM encourages customers to update their systems promptly.

Workarounds and Mitigations

None