Security Bulletin: Vega Vulnerabilities affect IBM Decision Optimization in IBM Cloud Pak for Data (CVE-2023-26486, CVE-2023-26487)

Summary There are multiple vulnerabilities in Vega 5.22.1 used by IBM Decision Optimization for IBM Cloud Pak for Data. IBM Decision Optimization for IBM Cloud Pak for Data has addressed the applicable CVEs. Vulnerability Details CVEID:CVE-2023-26486 DESCRIPTION: Vega is vulnerable to cross-site...

Elastic Stack 8.7.0, 7.17.10 Security Updates

Filebeat Information Exposure ESA-2023-04 A flaw was discovered in the Filebeat httpjson input that allows the http request Authorization or Proxy-Authorization header contents to be leaked in the logs when debug logging is enabled. Affected Versions: All filebeat versions through 7.17.9 and 8.6....

CVE-2023-26486

creationtimestamp| type| source ---|---|--- 2023-03-04 02:35:36+00:00| seen| https://t.me/cibsecurity/59413...

CVE-2023-26486

Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. The Vega scale expression function has the ability to call arbitrary functions with a single controlled argument. The scale expression function passes a user supplied argumen...

CVE-2023-26486

Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. The Vega scale expression function has the ability to call arbitrary functions with a single controlled argument. The scale expression function passes a user supplied argumen...

CVE-2023-26486 Vega `scale` expression function cross site scripting

Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. The Vega scale expression function has the ability to call arbitrary functions with a single controlled argument. The scale expression function passes a user supplied argumen...

CVE-2023-26486

CVE-2023-26486 concerns Vega’s scale expression function, which can pass a user-supplied group to getScale and allow the context to be treated as internal, enabling an escape of the Vega sandbox and arbitrary JavaScript execution. Public sources in the provided documents confirm this is a Vega vu...

@candela/stats (>=0.20.0 <=0.21.0), @candela/vega (>=0.20.0 <=0.23.0) +128 more potentially affected by CVE-2023-26486 via vega (>=1.5.4 <=5.22.1)

vega NPM version =1.5.4, =0.20.0, =0.20.0, =0.3.0, =0.6.0, =1.0.5, =1.2.0, =0.0.2, =0.8.0, =3.1.3 - @jupyterlab/vega3-extension =0.14.3 and more Source cves: CVE-2023-26486 Source advisory: OSV:GHSA-4VQ7-882G-WCG4...