Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBMFFB26E6881F52CFB353E7ED88B7B1851DD709F7EC1C313C29883B73A7ABDA862
HistoryAug 29, 2023 - 9:45 p.m.

Security Bulletin: IBM Storage Fusion and IBM Storage Fusion HCI may vulnerable to denial of service, spoofing attacks via dependent JavaScript libraries (CVE-2021-23440, CVE-2018-25031, CVE-2022-46175, CVE-2022-37599, CVE-2022-37603)

2023-08-2921:45:05
www.ibm.com
12
ibm storage fusion
javascript libraries
denial of service
spoofing attacks
cve-2021-23440
cve-2018-25031
cve-2022-46175
cve-2022-37599
cve-2022-37603

0.058 Low

EPSS

Percentile

93.3%

JSON

Summary

IBM Storage Fusion and IBM Storage Fusion HCI, previously known as Spectrum Fusion and Spectrum Fusion HCI, may be affected by vulnerabilities in set-value (Node.js), swagger-ui, JSON5, webpack/loader-utils. Vulnerabilities include access of resources using improper type leading to denial of service, improper input validation leading to spoofing attacks, “prototype pollution”, and a regular expression denial of service as described by the CVEs in the “Vulnerability Details” section.

Vulnerability Details

CVEID:CVE-2021-23440
**DESCRIPTION:**Nodejs set-value module could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution flaw. By adding or modifying properties of Object.prototype using a proto or constructor payload, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/209431 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID:CVE-2018-25031
**DESCRIPTION:**swagger-ui could allow a remote attacker to conduct spoofing attacks. By persuading a victim to open a specially-crafted URL, an attacker could exploit this vulnerability to display remote OpenAPI definitions.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/217346 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)

CVEID:CVE-2022-46175
**DESCRIPTION:**JSON5 could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a prototype pollution flaw in the parse method. By adding or modifying properties of Object.prototype using a proto or constructor payload, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system.
CVSS Base score: 7.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/242965 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H)

CVEID:CVE-2022-37599
**DESCRIPTION:**loader-utils is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in the interpolateName.js script. By sending specially-crafted regex input, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/238443 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2022-37603
**DESCRIPTION:**webpack loader-utils is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in the interpolateName function in interpolateName.js. By sending a specially-crafted regex input using the url variable, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/238766 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**IBM X-Force ID:**221508
**DESCRIPTION:**Swagger UI could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability in the OpenAPI definitions. An attacker could exploit this vulnerability using the ?url parameter in a specially-crafted URL to redirect a victim to arbitrary Web sites.
CVSS Base score: 7.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/221508 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Storage Fusion
IBM Storage Fusion HCI 2.1.0 - 2.4.0

BM Storage Fusion 2.5.0, 2.5.1, 2.5.2 and IBM Storage Fusion HCI 2.5.0, 2.5.2 are not affected.

Remediation/Fixes

IBM Storage Fusion

IBM Storage Fusion HCI

Workarounds and Mitigations

None

Related

nessus 15
ibm 73
osv 12
prion 5
github 6
openvas 8
cvelist 5
debiancve 4
cve 5
ubuntucve 5
packetstorm 1
veracode 5
redhatcve 4
debian 1
ubuntu 1
exploitdb 1
fedora 6
zdt 1
redhat 17
oracle 1
nessus
nessus
RHEL 6 : loader-utils (Unpatched Vulnerability)
2024-05-11 00:00:00
RHEL 7 : loader-utils (Unpatched Vulnerability)
2024-05-11 00:00:00
Ubuntu 18.04 LTS / 20.04 LTS / 22.04 LTS : JSON5 vulnerability (USN-6758-1)
2024-04-30 00:00:00
ibm
ibm
Security Bulletin: Multiple vulnerabilities affect IBM Db2® on Cloud Pak for Data and Db2 Warehouse® on Cloud Pak for Data
2023-01-30 18:40:51
Security Bulletin: QRadar Deployment Intelligence App for IBM QRadar SIEM is vulnerable to using components with known vulnerabilities (CVE-2022-25881, CVE-2021-23440, CVE-2022-24785, CVE-2022-46175)
2023-06-06 20:02:06
Security Bulletin: Open Source Dependency Vulnerability
2023-05-15 19:08:55
osv
osv
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS)
2022-10-12 12:00:27
node-json5 - security update
2023-11-25 00:00:00
CVE-2022-37599
2022-10-11 19:15:11
prion
prion
Denial of service
2022-10-14 16:15:00
Denial of service
2022-10-11 19:15:00
Cross site scripting
2022-12-24 04:15:00
github
github
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable
2022-10-14 19:00:38
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS)
2022-10-12 12:00:27
Prototype Pollution in JSON5 via Parse Method
2022-12-29 01:51:03
openvas
openvas
Fedora: Security Advisory for pgadmin4 (FEDORA-2023-e7297a4aeb)
2023-01-30 00:00:00
Ubuntu: Security Advisory (USN-6758-1)
2024-05-01 00:00:00
Debian: Security Advisory (DLA-3665-1)
2023-11-27 00:00:00
cvelist
cvelist
CVE-2022-46175
2022-12-24 00:00:00
CVE-2022-37603
2022-10-14 00:00:00
CVE-2022-37599
2022-10-11 00:00:00
debiancve
debiancve
CVE-2022-37603
2022-10-14 16:15:00
CVE-2022-37599
2022-10-11 19:15:00
CVE-2022-46175
2022-12-24 04:15:00
cve
cve
CVE-2022-37603
2022-10-14 16:15:00
CVE-2022-37599
2022-10-11 19:15:00
CVE-2018-25031
2022-03-11 07:15:00
ubuntucve
ubuntucve
CVE-2022-37599
2022-10-11 00:00:00
CVE-2018-25031
2022-03-11 00:00:00
CVE-2022-37603
2022-10-14 00:00:00
packetstorm
packetstorm
Swagger UI 4.1.3 Critical Information Misrepresentation
2023-04-20 00:00:00
veracode
veracode
Regular Expression Denial Of Service (ReDoS)
2022-10-12 02:12:19
Prototype Pollution
2023-01-05 07:22:55
Regular Expression Denial Of Service (ReDoS)
2022-10-16 21:39:10
redhatcve
redhatcve
CVE-2022-37599
2023-05-23 10:40:04
CVE-2022-37603
2022-11-07 10:56:15
CVE-2022-46175
2022-12-26 05:05:00
debian
debian
[SECURITY] [DLA 3665-1] node-json5 security update
2023-11-25 22:33:33
ubuntu
ubuntu
JSON5 vulnerability
2024-04-30 00:00:00
exploitdb
exploitdb
Swagger UI 4.1.3 - User Interface (UI) Misrepresentation of Critical Information
2023-04-20 00:00:00
fedora
fedora
[SECURITY] Fedora 37 Update: pgadmin4-6.19-1.fc37
2023-01-30 01:27:10
[SECURITY] Fedora 39 Update: yarnpkg-1.22.21-2.fc39
2024-02-28 01:10:55
[SECURITY] Fedora 38 Update: yarnpkg-1.22.21-2.fc38
2024-02-28 01:41:33
zdt
zdt
Swagger UI 4.1.3 - User Interface (UI) Misrepresentation of Critical Information Exploit
2023-04-20 00:00:00
redhat
redhat
(RHSA-2023:3374) Moderate: Migration Toolkit for Runtimes security update
2023-05-31 10:49:43
(RHSA-2023:0713) Important: Red Hat Data Grid 8.4.1 security update
2023-02-09 11:33:55
(RHSA-2023:0471) Important: Migration Toolkit for Runtimes security update
2023-01-26 12:13:39
oracle
oracle
Oracle Critical Patch Update Advisory - January 2022
2022-01-18 00:00:00

0.058 Low

EPSS

Percentile

93.3%

JSON
Related for FFB26E6881F52CFB353E7ED88B7B1851DD709F7EC1C313C29883B73A7ABDA862
nessus15ibm73osv12prion5github6openvas8cvelist5debiancve4cve5ubuntucve5packetstorm1veracode5redhatcve4debian1ubuntu1exploitdb1fedora6zdt1redhat17oracle1