Security Bulletin: IBM Cloud Pak for Data is vulnerable to denial of service due to Node.js http-cache-semantics module ( CVE-2022-25881 )

Summary Node.js http-cache-semantics module is used by IBM Cloud Pak for Data as part of the platform. CVE-2022-25881. Vulnerability Details CVEID:CVE-2022-25881 DESCRIPTION: Node.js http-cache-semantics module is vulnerable to a denial of service, caused by a regular expression denial of service...

Security Bulletin: IBM Cloud Pak for Data is vulnerable to session hijacking due to Node.js passport module ( CVE-2022-25896 )

Summary Node.js passport module is used by IBM Cloud Pak for Data as part of the platform. CVE-2022-25896. Vulnerability Details CVEID:CVE-2022-25896 DESCRIPTION: Node.js passport module could allow a remote attacker to hijack a user's session, caused by a session fixation vulnerability. An...

Security Bulletin: IBM Cloud Pak for Data is vulnerable to denial of service due to Node.js cookiejar module ( CVE-2022-25901 )

Summary Node.js cookiejar module is used by IBM Cloud Pak for Data as part of the platform. CVE-2022-25901. Vulnerability Details CVEID:CVE-2022-25901 DESCRIPTION: Node.js cookiejar module is vulnerable to a denial of service, caused by an insecure regular expression in the Cookie.parse function....

Security Bulletin: IBM Cloud Pak for Data is vulnerable to obtain sensitive information due to Node.js undici ( CVE-2023-45143 )

Summary Node.js undici is used by IBM Cloud Pak for Data as part of the . CVE-2023-45143. Vulnerability Details CVEID:CVE-2023-45143 DESCRIPTION: Node.js undici module could allow a remote authenticated attacker to obtain sensitive information, caused by the failure to clear cookie header on...

Security Bulletin: IBM Cloud Pak for Data is vulnerable to bypass security restriction due to Node.js undici module ( CVE-2024-30261, CVE-2024-30260 )

Summary Node.js undici module is used by IBM Cloud Pak for Data as part of the platform. CVE-2024-30261, CVE-2024-30260. Vulnerability Details CVEID:CVE-2024-30261 DESCRIPTION: Node.js undici module could allow a remote authenticated attacker to bypass security restrictions, caused by a flaw with...

Security Bulletin: IBM Cloud Pak for Data is vulnerable to bypass SAML authentication due to passport-saml ( CVE-2022-39299 )

Summary Passport-saml is used by IBM Cloud Pak for Data for SAML authentication. CVE-2022-39299. Vulnerability Details CVEID:CVE-2022-39299 DESCRIPTION: Node.js passport-saml module could allow a remote attacker to bypass security restrictions, caused by improper verification of cryptographic...

Security Bulletin: IBM Cloud Pak for Data is vulnerable to SSRF due to ip for Node.js (CVE-2023-42282)

Summary Package ip for Node.js is used by IBM Cloud Pak for Data. CVE-2023-42282 Vulnerability Details CVEID:CVE-2023-42282 DESCRIPTION: Node.js IP package could allow a remote attacker to execute arbitrary code on the system, caused by a server-side request forgery flaw in the ip.isPublic...

Security Bulletin: IBM App Connect Enterprise Certified Container Dashboard operands that use COS S3 storage are vulnerable to loss of confidentiality [CVE-2024-42459] [CVE-2024-42460] [CVE-2024-42461]

Summary Node.js Elliptic module is used by IBM App Connect Enterprise Certified Container for encription and signature validation in communication between a Dashboard and COS S3 storage. IBM App Connect Enterprise Certified Container Dashboard operands that use COS S3 storage for storing bar file...

ROS-20240808-03

A vulnerability in the HTTP server of the Node.js software platform is related to uncontrolled resource consumption as a result of reading an unlimited number of bytes from a single connection while processing HTTP requests. as a result of reading an unlimited number of bytes from a single...

CVE-2024-42460

A flaw was found in the Elliptic NodeJS package where it fails to properly verify the leading bit for the R and S values used in the ECDSA signature. This issue may lead to a scenario where an attacker can modify the signature without the Elliptic library being able to properly reject it, causing...

CVE-2024-42461

A flaw was found in the Elliptic package for Node.js. ECDSA signatures encoded in BER format are improperly validated, allowing leading zeros to be added to the signature without invalidating it, resulting in confidentiality issues. Mitigation Mitigation for this issue is either not available or...

Amazon Linux 2023 : nodejs, nodejs-devel, nodejs-full-i18n (ALAS2023-2024-694)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2024-694 advisory. NOTE: https://nodejs.org/en/blog/vulnerability/april-2024-security-releases/ CVE-2024-27982 Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Prox...

Security Bulletin: IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to Node.js micromatch module denial of service vulnerability[ CVE-2024-4067]

Summary Potential Node.js micromatch module denial of service vulnerability CVE-2024-4067 have been identified that may affect IBM Watson Assistant for IBM Cloud Pak for Data. The vulnerability have been addressed. Refer to details for additional information. Vulnerability Details...

Security Bulletin: IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to ejs lack of pollution protection vulnerability [ CVE-2024-33883]

Summary Potential ejs aka Embedded JavaScript templates package lack of pollution protection vulnerability CVE-2024-33883 have been identified that may affect IBM Watson Assistant for IBM Cloud Pak for Data. The vulnerability have been addressed. Refer to details for additional information...

Security Bulletin: IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to Node.js follow-redirects module information disclosure vulnerability [ CVE-2024-28849]

Summary Potential Node.js follow-redirects module information disclosure vulnerability CVE-2024-28849 have been identified that may affect IBM Watson Assistant for IBM Cloud Pak for Data. The vulnerability have been addressed. Refer to details for additional information. Vulnerability Details...

Security Bulletin: IBM Storage Ceph is vulnerable to the Exposure of Sensitive Information to an Unauthorized Actor in the RHEL UBI (CVE-2023-45143)

Summary RHEL UBI is used by IBM Storage Ceph as the base operating system. This bulletin identifies the steps to take to address the vulnerability in the RHEL UBI. CVE-2023-45143. Vulnerability Details CVEID:CVE-2023-45143 DESCRIPTION: Node.js undici module could allow a remote authenticated...

Security Bulletin: IBM Storage Ceph is vulnerable to OS Command Injection in Grafana (CVE-2022-25912, CVE-2022-25860, CVE-2022-25908)

Summary Simple Git is used by IBM Storage Ceph in Grafana for Metrics. This bulletin identifies the steps to take to address the vulnerability in IBM Storage Ceph. CVE-2022-25912, CVE-2022-25860, CVE-2022-25908. Vulnerability Details CVEID:CVE-2022-25912 DESCRIPTION: Node.js simple-git module cou...

Security Bulletin: IBM Storage Ceph is vulnerable to Inefficient Regular Expression Complexity in the RHEL UBI (CVE-2022-25881)

Summary RHEL UBI is used by IBM Storage Ceph as the base operating system. This bulletin identifies the steps to take to address the vulnerability in the RHEL UBI. CVE-2022-25881. Vulnerability Details CVEID:CVE-2022-25881 DESCRIPTION: Node.js http-cache-semantics module is vulnerable to a denial...

Security Bulletin: Multiple vulnerabilities fixed in IBM Security Verify Information Queue

Summary Multiple security vulnerabilities in the third-party libraries have been addressed in IBM Security Verify Information Queue ISIQ v10.0.9. Vulnerability Details CVEID:CVE-2024-28849 DESCRIPTION: Node.js follow-redirects module could allow a remote authenticated attacker to obtain sensitive...

CVE-2024-22169

WD Discovery versions prior to 5.0.589 contain a misconfiguration in the Node.js environment settings that could allow code execution by utilizing the 'ELECTRONRUNASNODE' environment variable. Any malicious application operating with standard user permissions can exploit this vulnerability,...