Multiple vulnerabilities in IBM Cloud Pak for Multicloud Management Monitoring
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 16 |
| CVE-ID | CVE-2021-39293 CVE-2022-23806 CVE-2021-43565 CVE-2021-44717 CVE-2022-23773 CVE-2021-44716 CVE-2022-23772 CVE-2021-36221 CVE-2021-29923 CVE-2021-34558 CVE-2021-33198 CVE-2021-33197 CVE-2021-33196 CVE-2021-33195 CVE-2021-33194 CVE-2021-31525 |
| CWE-ID | CWE-770 CWE-252 CWE-20 CWE-400 CWE-863 CWE-362 CWE-295 CWE-399 CWE-862 CWE-79 CWE-835 CWE-674 |
| Exploitation vector | Network |
| Public exploit |
Public exploit code for vulnerability #5 is available. Public exploit code for vulnerability #10 is available. |
| Vulnerable software |
IBM Cloud Pak for Multicloud Management Monitoring Server applications / Other server solutions |
| Vendor | IBM Corporation |
Security Bulletin
This security bulletin contains information about 16 vulnerabilities.
1) Allocation of Resources Without Limits or Throttling
EUVDB-ID: #VU60921
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-39293
CWE-ID:
CWE-770 - Allocation of Resources Without Limits or Throttling
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper validation of archive/zip in Go programming language when processing archive header. A remote attacker can pass a specially crafted file to the application and perform a denial of service (DoS) attack.
Install update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: 2.0 - 2.3
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_multicloud_management_monitoring:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_multicloud_management_monitoring:2.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_multicloud_management_monitoring:2.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Unchecked Return Value
EUVDB-ID: #VU62036
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-23806
CWE-ID:
CWE-252 - Unchecked Return Value
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to unchecked return value within the Curve.IsOnCurve() function in crypto/elliptic. A remote attacker can force the application to incorrectly return true in situations with a big.Int value that is not a valid field element. As a result, an attacker can modify application flow, which can lead to unauthorized data modification or denial of service.
Install update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: 2.0 - 2.3
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_multicloud_management_monitoring:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_multicloud_management_monitoring:2.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_multicloud_management_monitoring:2.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Input validation error
EUVDB-ID: #VU64805
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-43565
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input when parsing a Signer to ServerConfig.AddHostKey in cases where the Signer passed to AddHostKey does not implement AlgorithmSigner or the Signer passed to AddHostKey returns a key of type “ssh-rsa” from its PublicKey method. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: 2.0 - 2.3
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_multicloud_management_monitoring:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_multicloud_management_monitoring:2.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_multicloud_management_monitoring:2.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Resource exhaustion
EUVDB-ID: #VU59042
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-44717
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when processing HTTP/2 requests. A remote attacker can send multiple HTTP/2 requests to the server and exhaust all available memory resources.
Install update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: 2.0 - 2.3
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_multicloud_management_monitoring:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_multicloud_management_monitoring:2.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_multicloud_management_monitoring:2.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Incorrect authorization
EUVDB-ID: #VU62037
Risk: Low
CVSSv4.0: 2.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/U:Clear]
CVE-ID: CVE-2022-23773
CWE-ID:
CWE-863 - Incorrect Authorization
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists within cmd/go, which can misinterpret branch names that falsely appear to be version tags. This can lead to a situation where an attacker can bypass implemented security restrictions and perform restricted actions, e.g. create tags when access was granted to create branches only.
Install update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: 2.0 - 2.3
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_multicloud_management_monitoring:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_multicloud_management_monitoring:2.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_multicloud_management_monitoring:2.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
6) Input validation error
EUVDB-ID: #VU58824
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-44716
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: 2.0 - 2.3
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_multicloud_management_monitoring:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_multicloud_management_monitoring:2.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_multicloud_management_monitoring:2.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Resource exhaustion
EUVDB-ID: #VU62038
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-23772
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources within the Rat.SetString(0 function in math/big. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: 2.0 - 2.3
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_multicloud_management_monitoring:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_multicloud_management_monitoring:2.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_multicloud_management_monitoring:2.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Race condition
EUVDB-ID: #VU55668
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-36221
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a race condition in net/http/httputil ReverseProxy when handling ErrAbortHandler events. A remote attacker can trigger a race condition and crash the ReverseProxy.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: 2.0 - 2.3
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_multicloud_management_monitoring:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_multicloud_management_monitoring:2.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_multicloud_management_monitoring:2.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Input validation error
EUVDB-ID: #VU56829
Risk: Medium
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-29923
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to insufficient validation of user-supplied input in net.ParseIP and net.ParseCIDR, as the Go interpreter does not properly consider extraneous zero characters at the beginning
of an IP address octet. A remote attacker can
bypass access control that is based on IP addresses, because of
unexpected octal interpretation.
Install update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: 2.0 - 2.3
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_multicloud_management_monitoring:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_multicloud_management_monitoring:2.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_multicloud_management_monitoring:2.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Improper Certificate Validation
EUVDB-ID: #VU55665
Risk: Medium
CVSSv4.0: 7.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Green]
CVE-ID: CVE-2021-34558
CWE-ID:
CWE-295 - Improper Certificate Validation
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper certificate verification in crypto/tls package in Go when processing X.509 certificates. The application does not properly assert that the type of public key in an X.509 certificate matches the expected type when doing a RSA based key exchange, allowing a malicious TLS server to cause a TLS client to panic.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: 2.0 - 2.3
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_multicloud_management_monitoring:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_multicloud_management_monitoring:2.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_multicloud_management_monitoring:2.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
11) Resource management error
EUVDB-ID: #VU56024
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-33198
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources within the application when handling a large exponent to the math/big.Rat SetString or UnmarshalText method. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: 2.0 - 2.3
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_multicloud_management_monitoring:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_multicloud_management_monitoring:2.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_multicloud_management_monitoring:2.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Missing Authorization
EUVDB-ID: #VU56023
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-33197
CWE-ID:
CWE-862 - Missing Authorization
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass authorization process.
The vulnerability exists due to an error in some configurations of ReverseProxy (from net/http/httputil). A remote attacker can drop arbitrary headers and bypass authorization process.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: 2.0 - 2.3
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_multicloud_management_monitoring:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_multicloud_management_monitoring:2.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_multicloud_management_monitoring:2.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) Resource exhaustion
EUVDB-ID: #VU54521
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-33196
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when parsing archives. A remote attacker can pass a specially crafted .zip file to the application, trigger resource exhaustion and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: 2.0 - 2.3
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_multicloud_management_monitoring:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_multicloud_management_monitoring:2.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_multicloud_management_monitoring:2.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
14) Cross-site scripting
EUVDB-ID: #VU56022
Risk: Medium
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-33195
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of data passed from DNS lookups. A remote attacker can send a specially crafted DNS reqponse and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: 2.0 - 2.3
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_multicloud_management_monitoring:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_multicloud_management_monitoring:2.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_multicloud_management_monitoring:2.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
15) Infinite loop
EUVDB-ID: #VU65693
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-33194
CWE-ID:
CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop. A remote attacker can pass crafted ParseFragment input to the application, consume all available system resources and cause denial of service conditions.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: 2.0 - 2.3
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_multicloud_management_monitoring:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_multicloud_management_monitoring:2.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_multicloud_management_monitoring:2.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
16) Uncontrolled Recursion
EUVDB-ID: #VU54910
Risk: Medium
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-31525
CWE-ID:
CWE-674 - Uncontrolled Recursion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a DoS attack.
The vulnerability exists due to uncontrolled recursion when processing HTTP headers. A remote attacker can send a large header to ReadRequest or ReadResponse and perform a denial of service (DoS) attack.
Install update from vendor's website.
Vulnerable software versionsIBM Cloud Pak for Multicloud Management Monitoring: 2.0 - 2.3
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_multicloud_management_monitoring:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_multicloud_management_monitoring:2.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_multicloud_management_monitoring:2.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
