Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBMFEEB22705846872BB83E3BC9FE94522005DBC482F542E59A9C17E7BC4EEDF76A
HistoryMay 15, 2023 - 6:36 p.m.

Security Bulletin: Open Source Dependency Vulnerability

2023-05-1518:36:46
www.ibm.com
10

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.021 Low

EPSS

Percentile

88.9%

JSON

Summary

IBM Edge Application Manager 4.5 has resolved the vulnerability.

Vulnerability Details

CVEID:CVE-2020-15112
**DESCRIPTION:**etcd is vulnerable to a denial of service, caused by a flaw in the ReadAll method in wal/wal.go. By sending a specially crafted data, a remote authenticated attacker could exploit this vulnerability to cause a runtime panic.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/186328 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2020-26160
**DESCRIPTION:**jwt-go could allow a remote attacker to bypass security restrictions, caused by a type assertion failure when m[“aud”] happens to be []string{}. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass access restrictions.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/189408 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2018-16886
**DESCRIPTION:**etcd could allow a remote attacker to bypass security restrictions, caused by improper authentication in auth/store.go:AuthInfoFromTLS() when role-based access control (RBAC) is used and client-cert-auth is enabled. By sending a specially crafted REST API request to the gRPC-gateway, an attacker could exploit this vulnerability to bypass authentication.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/155498 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2021-44716
**DESCRIPTION:**Golang Go is vulnerable to a denial of service, caused by an uncontrolled memory consumption in the header canonicalization cache in net/http. By sending HTTP/2 requests, a remote attacker could exploit this vulnerability to consume all available memory resources.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/216553 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2018-1098
**DESCRIPTION:**etcd is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request to perform unauthorized actions. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/141542 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

CVEID:CVE-2020-15106
**DESCRIPTION:**etcd is vulnerable to a denial of service, caused by improper data validation in the decodeRecord method. By sending a specially crafted data, a remote authenticated attacker could exploit this vulnerability to cause panic in decodeRecord method,
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/186329 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2020-15113
**DESCRIPTION:**etcd could allow a remote attacker to bypass security restrictions, caused by the lack of permission checks in the os.MkdirAll function when a given directory path exists already. By sending a specially crafted request, an attacker could exploit this vulnerability to bypass access restrictions.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/186327 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2018-1099
**DESCRIPTION:**etcd could allow a remote attacker to gain access to the DNS records, caused by a DNS rebinding. An attacker could exploit this vulnerability to rebind DNS records.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/141541 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2022-29526
**DESCRIPTION:**Golang Go could allow a remote attacker to obtain sensitive information, caused by a flaw in the Faccessat function when called with a non-zero flags parameter. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain accessible file information, and use this information to launch further attacks against the affected system.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/229593 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID:CVE-2020-14040
**DESCRIPTION:**Go Language x/text package is vulnerable to a denial of service, caused by a vulnerability in encoding/unicode in the UTF-16 decoder. By sending a single byte to a UTF16 decoder, a remote attacker could exploit this vulnerability to cause the application to enter into an infinite loop.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/184313 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Edge Application Manager 4.4
IBM Edge Application Manager 4.3

Remediation/Fixes

The fix/upgrade is a set of docker images, that will automatically be pulled and deployed from both dockerhub and the IBM Entitled Registry.

Workarounds and Mitigations

None

Related

ibm 12
altlinux 2
fedora 3
nessus 22
openvas 7
osv 28
ubuntu 2
redhat 14
ubuntucve 7
photon 6
redhatcve 9
wolfi 3
prion 9
gitlab 9
veracode 9
debiancve 8
github 8
cve 9
cgr 2
cbl_mariner 25
alpinelinux 2
almalinux 1
oraclelinux 1
rocky 1
ibm
ibm
Security Bulletin: IBM Cloud Private is vulnerable to etcd vulnerabilities (CVE-2020-15106, CVE-2020-15112, CVE-2020-15113)
2021-02-26 14:21:09
Security Bulletin: IBM API Connect is vulnerable to denial of service (DoS) via etcd (CVE-2020-15106 CVE-2020-15112 CVE-2020-15113)
2021-02-02 13:37:27
Security Bulletin: CVE-2018-1099, CVE-2018-1098 may affect IBM CICS TX Standard
2023-02-24 13:14:12
altlinux
altlinux
Security fix for the ALT Linux 10 package etcd version 3.4.7-alt1
2020-04-26 00:00:00
Security fix for the ALT Linux 10 package etcd version 3.4.13-alt1
2020-09-05 00:00:00
fedora
fedora
[SECURITY] Fedora 29 Update: etcd-3.3.12-4.20190413gitf29b1ad.fc29
2019-05-06 04:15:25
[SECURITY] Fedora 30 Update: etcd-3.3.12-1.20190314gite1ca3b4.fc30
2019-04-13 00:09:57
[SECURITY] Fedora 32 Update: etcd-3.4.13-1.fc32
2021-01-04 01:18:15
nessus
nessus
Fedora 30 : etcd (2019-833466697f)
2019-05-02 00:00:00
Fedora 29 : etcd (2019-219b0b0b6a)
2019-05-06 00:00:00
Ubuntu 18.04 ESM : etcd vulnerabilities (USN-5628-2)
2023-10-16 00:00:00
openvas
openvas
Fedora Update for etcd FEDORA-2019-219b0b0b6a
2019-05-07 00:00:00
Ubuntu: Security Advisory (USN-5628-2)
2023-01-27 00:00:00
Ubuntu: Security Advisory (USN-5628-1)
2022-09-23 00:00:00
osv
osv
etcd vulnerabilities
2022-09-22 15:16:34
etcd vulnerabilities
2022-09-22 13:38:55
BIT-etcd-2020-15106
2024-03-06 10:52:40
ubuntu
ubuntu
etcd vulnerabilities
2022-09-22 00:00:00
etcd vulnerabilities
2022-09-22 00:00:00
redhat
redhat
(RHSA-2021:1407) Moderate: etcd security update
2021-04-27 16:05:53
(RHSA-2021:0916) Moderate: Red Hat OpenStack Platform 16.1.4 (etcd) security update
2021-03-17 13:32:51
(RHSA-2021:0516) Moderate: Release of OpenShift Serverless 1.13.0 security update
2021-02-15 14:47:44
ubuntucve
ubuntucve
CVE-2018-16886
2019-01-14 00:00:00
CVE-2020-26160
2020-09-30 00:00:00
CVE-2020-15113
2020-08-05 00:00:00
photon
photon
Home Download Photon OS User Documentation FAQ Security Advisories Related Information Lightwave - PHSA-2020-1.0-0313
2020-08-18 00:00:00
Critical Photon OS Security Update - PHSA-2020-0313
2020-08-18 00:00:00
Important Photon OS Security Update - PHSA-2020-0130
2020-08-25 00:00:00
redhatcve
redhatcve
CVE-2020-26160
2020-09-30 22:37:10
CVE-2020-15112
2020-08-14 06:13:32
CVE-2020-15113
2020-08-14 06:13:31
wolfi
wolfi
CVE-2020-26160 vulnerabilities
2024-04-23 03:07:01
CVE-2020-15106 vulnerabilities
2024-04-23 03:07:01
CVE-2020-14040 vulnerabilities
2024-04-23 03:07:01
prion
prion
Authentication flaw
2019-01-14 19:29:00
Design/Logic Flaw
2020-08-05 19:15:00
Design/Logic Flaw
2020-08-05 20:15:00
gitlab
gitlab
Improper Authentication
2022-02-15 00:00:00
Improper Input Validation in etcd
2023-02-07 00:00:00
Improper Authentication
2022-04-12 00:00:00
veracode
veracode
Denial Of Service (DoS)
2020-08-06 06:19:36
Authorization Bypass
2020-09-30 00:55:36
Denial Of Service (DoS)
2021-03-18 06:52:12
debiancve
debiancve
CVE-2020-26160
2020-09-30 18:15:00
CVE-2018-16886
2019-01-14 19:29:00
CVE-2020-15113
2020-08-05 20:15:00
github
github
Improper Preservation of Permissions in etcd
2024-01-30 23:54:26
go.etcd.io/etcd Authentication Bypass
2022-04-12 22:41:32
Authorization bypass in github.com/dgrijalva/jwt-go
2021-05-18 21:08:21
cve
cve
CVE-2018-16886
2019-01-14 19:29:00
CVE-2020-15106
2020-08-05 19:15:00
CVE-2020-15113
2020-08-05 20:15:00
cgr
cgr
CVE-2020-26160 vulnerabilities
2024-04-23 09:06:29
CVE-2020-15106 vulnerabilities
2024-04-23 09:06:29
cbl_mariner
cbl_mariner
CVE-2020-15112 affecting package etcd 3.4.3-4
2022-04-09 06:52:04
CVE-2020-15113 affecting package etcd 3.4.3-4
2022-04-09 06:52:04
CVE-2020-15106 affecting package etcd 3.4.3-4
2022-04-09 06:52:04
alpinelinux
alpinelinux
CVE-2020-26160
2020-09-30 18:15:00
CVE-2021-44716
2022-01-01 05:15:00
almalinux
almalinux
Important: grafana security update
2022-01-03 07:30:31
oraclelinux
oraclelinux
grafana security update
2022-01-04 00:00:00
rocky
rocky
grafana security update
2022-01-03 07:30:31

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.021 Low

EPSS

Percentile

88.9%

JSON
Related for FEEB22705846872BB83E3BC9FE94522005DBC482F542E59A9C17E7BC4EEDF76A
ibm12altlinux2fedora3nessus22openvas7osv28ubuntu2redhat14ubuntucve7photon6redhatcve9wolfi3prion9gitlab9veracode9debiancve8github8cve9cgr2cbl_mariner25alpinelinux2almalinux1oraclelinux1rocky1