Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBMFB8EB98F059707E2B2452BBE1718288EB221A17CB0BDFBA74D42AB6267854D60
HistorySep 16, 2024 - 5:22 p.m.

Security Bulletin: IBM Maximo Application Suite uses k82.io package which is vulnerable to CVE-2019-11250, CVE-2020-8565, CVE-2019-11253.

2024-09-1617:22:13
www.ibm.com
8
ibm maximo application suite
k82.io package
cve-2019-11250
cve-2020-8565
cve-2019-11253
kubernetes
denial of service

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7.3

Confidence

High

JSON

Summary

IBM Maximo Application Suite uses k82.io package which is vulnerable to CVE-2019-11250, CVE-2020-8565, CVE-2019-11253. This bulletin contains information regarding the vulnerability and its fixture.

Vulnerability Details

CVEID:CVE-2019-11250
**DESCRIPTION:**Kubernetes could allow a local authenticated attacker to obtain sensitive information, caused by storing credentials in the log by the client-go library. By sending a specially crafted command, an attacker could exploit this vulnerability to obtain sensitive information and use this information to launch further attacks against the affected system.
CVSS Base score: 4.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/166710 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2020-8565
**DESCRIPTION:**Kubernetes could allow a local authenticated attacker to obtain sensitive information, caused by a flaw when kube-apiserver is using logLevel >= 9. By gaining access to the log files, an attacker could exploit this vulnerability to obtain the Kubernetes authorization tokens information, and use this information to launch further attacks against the affected system.
CVSS Base score: 4.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/189925 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2019-11253
**DESCRIPTION:**The Kubernetes API server is vulnerable to a denial of service, caused by a billion laughs attack, caused by an error when parsing YAML manifests. A remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/168618 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Maximo Application Suite 9.0
IBM Maximo Application Suite 8.11
IBM Maximo Application Suite 8.10

Remediation/Fixes

Remediated Product(s) Version(s)
IBM Maximo Application Suite 9.0.1
IBM Maximo Application Suite 8.11.14
IBM Maximo Application Suite 8.10.16

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmmaximo_application_suiteMatch9.0
OR
ibmmaximo_application_suiteMatch8.11
OR
ibmmaximo_application_suiteMatch8.10
VendorProductVersionCPE
ibmmaximo_application_suite9.0cpe:2.3:a:ibm:maximo_application_suite:9.0:*:*:*:*:*:*:*
ibmmaximo_application_suite8.11cpe:2.3:a:ibm:maximo_application_suite:8.11:*:*:*:*:*:*:*
ibmmaximo_application_suite8.10cpe:2.3:a:ibm:maximo_application_suite:8.10:*:*:*:*:*:*:*

Related

hackerone 1
redhatcve 3
cvelist 3
cve 3
ibm 35
osv 17
nessus 23
debiancve 3
redhat 16
gitlab 7
github 4
nvd 3
alpinelinux 1
symantec 2
veracode 3
prion 3
attackerkb 1
ubuntucve 3
checkpoint_advisories 1
cbl_mariner 1
wolfi 1
threatpost 4
photon 15
openvas 2
fedora 1
oraclelinux 2
kitploit 1
hackerone
hackerone
Kubernetes: CVE-2019-11250 remains in effect.
2020-08-06 17:42:21
redhatcve
redhatcve
CVE-2020-8565
2020-10-16 00:02:11
CVE-2019-11250
2019-08-13 02:23:16
CVE-2019-11253
2019-10-02 08:51:08
cvelist
cvelist
CVE-2020-8565 Incomplete fix for CVE-2019-11250 allows for token leak in logs when logLevel >= 9
2020-12-07 22:00:19
CVE-2019-11250 Kubernetes client-go logs authorization headers at debug verbosity levels
2019-08-29 00:40:43
CVE-2019-11253 Kubernetes API Server JSON/YAML parsing vulnerable to resource exhaustion attack
2019-10-17 15:40:10
cve
cve
CVE-2020-8565
2020-12-07 22:15:21
CVE-2019-11250
2019-08-29 01:15:11
CVE-2019-11253
2019-10-17 16:15:10
ibm
ibm
Security Bulletin: Vulnerability in Kubernetes affects watsonx.data
2024-09-03 20:08:06
Security Bulletin: A Security Vulnerability affects IBM Cloud Private Kubernetes (CVE-2019-11250)
2019-11-23 15:24:42
Security Bulletin: IBM Cloud Pak for Data Scheduling contains a vulnerable kubectl package ( CVE-2019-11250 )
2023-12-06 15:46:02
osv
osv
Unauthorized credential disclosure via debug logs in k8s.io/kubernetes and k8s.io/client-go
2021-04-14 20:04:52
XML Entity Expansion and Improper Input Validation in Kubernetes API server in k8s.io/kubernetes
2024-08-21 15:21:45
Kubernetes apimachinery packages vulnerable to unbounded recursion in JSON or YAML parsing
2023-02-08 00:35:27
nessus
nessus
RHEL 7 / 8 : OpenShift Container Platform 4.1.20 openshift (RHSA-2019:3132)
2019-10-17 00:00:00
RHEL 8 : Red Hat OpenShift Service Mesh 1.0 servicemesh-cni (RHSA-2020:2870)
2020-07-07 00:00:00
RHEL 8 : Red Hat OpenShift Service Mesh 1.0 servicemesh-prometheus (RHSA-2020:2863)
2020-07-07 00:00:00
debiancve
debiancve
CVE-2019-11253
2019-10-17 16:15:10
CVE-2019-11250
2019-08-29 01:15:11
CVE-2020-8565
2020-12-07 22:15:21
redhat
redhat
(RHSA-2019:3132) Important: OpenShift Container Platform 4.1.20 openshift security update
2019-10-16 15:24:10
(RHSA-2020:2870) Important: Red Hat OpenShift Service Mesh 1.0 servicemesh-cni security update
2020-07-07 21:08:32
(RHSA-2020:2863) Important: Red Hat OpenShift Service Mesh 1.0 servicemesh-prometheus security update
2020-07-07 19:20:43
gitlab
gitlab
Credentials Management
2019-08-29 00:00:00
Insertion of Sensitive Information into Log File
2022-05-24 00:00:00
Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
2021-05-18 00:00:00
github
github
Kubernetes client-go library logs may disclose credentials to unauthorized users
2022-05-24 16:55:06
XML Entity Expansion and Improper Input Validation in Kubernetes API server
2021-05-18 15:38:48
Kubernetes apimachinery packages vulnerable to unbounded recursion in JSON or YAML parsing
2023-02-08 00:35:27
nvd
nvd
CVE-2019-11250
2019-08-29 01:15:11
CVE-2019-11253
2019-10-17 16:15:10
CVE-2020-8565
2020-12-07 22:15:21
alpinelinux
alpinelinux
CVE-2019-11253
2019-10-17 16:15:10
symantec
symantec
Kubernetes CVE-2019-11250 Information Disclosure Vulnerability
2019-08-13 00:00:00
Kubernetes API Server CVE-2019-11253 Denial of Service Vulnerability
2019-09-27 00:00:00
veracode
veracode
Information Disclosure
2019-08-14 02:24:54
Denial Of Service (DoS)
2019-10-02 02:49:42
Information Disclosure
2023-02-10 12:44:49
prion
prion
Design/Logic Flaw
2019-08-29 01:15:00
Input validation
2019-10-17 16:15:00
Authorization
2020-12-07 22:15:00
attackerkb
attackerkb
Kubectl/API Server YAML parsing vulnerable to "Billion Laughs" Attack
2019-10-17 00:00:00
ubuntucve
ubuntucve
CVE-2019-11253
2019-10-17 00:00:00
CVE-2019-11250
2019-08-29 00:00:00
CVE-2020-8565
2020-12-07 00:00:00
checkpoint_advisories
checkpoint_advisories
Kubernetes API Server Denial Of Service (CVE-2019-11253)
2019-12-26 00:00:00
cbl_mariner
cbl_mariner
CVE-2020-8565 affecting package kubernetes 1.17.13-6
2021-01-29 07:40:01
wolfi
wolfi
CVE-2020-8565 vulnerabilities
2024-09-28 03:12:03
threatpost
threatpost
ThreatList: One-Third of Firms Say Their Container Security Lags
2018-11-23 13:00:48
Dangerous Kubernetes Bugs Allow Authentication Bypass, DoS
2019-10-17 14:25:39
Public Bug Bounty Takes Aim at Kubernetes Container Project
2020-01-14 17:00:28
photon
photon
Moderate Photon OS Security Update - PHSA-2021-0247
2021-03-18 00:00:00
Moderate Photon OS Security Update - PHSA-2021-3.0-0247
2021-06-03 00:00:00
Home Download Photon OS User Documentation FAQ Security Advisories Related Information Lightwave - PHSA-2020-1.0-0288
2020-04-11 00:00:00
openvas
openvas
Fedora Update for kubernetes FEDORA-2019-2b8ef08c95
2019-08-27 00:00:00
SUSE: Security Advisory (SUSE-SU-2020:3760-1)
2021-06-09 00:00:00
fedora
fedora
[SECURITY] Fedora 30 Update: kubernetes-1.15.2-1.fc30
2019-08-26 00:53:13
oraclelinux
oraclelinux
kubernetes security update
2020-01-31 00:00:00
kubernetes kubeadm-ha-setup kubeadm-upgrade security update
2020-04-17 00:00:00
kitploit
kitploit
Metarget - Framework Providing Automatic Constructions Of Vulnerable Infrastructures
2021-06-04 21:30:00

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7.3

Confidence

High

JSON
Related for FB8EB98F059707E2B2452BBE1718288EB221A17CB0BDFBA74D42AB6267854D60
hackerone1redhatcve3cvelist3cve3ibm35osv17nessus23debiancve3redhat16gitlab7github4nvd3alpinelinux1symantec2veracode3prion3attackerkb1ubuntucve3checkpoint_advisories1cbl_mariner1wolfi1threatpost4photon15openvas2fedora1oraclelinux2kitploit1