Multiple vulnerabilities in IBM VM Recovery Manager DR GUI
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2020-28500 CVE-2021-23337 |
| CWE-ID | CWE-185 CWE-77 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
IBM VM Recovery Manager DR Other software / Other software solutions |
| Vendor | IBM Corporation |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Incorrect Regular Expression
EUVDB-ID: #VU54394
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-28500
CWE-ID:
CWE-185 - Incorrect Regular Expression
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient input validation when processing regular expressions. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.
Install update from vendor's website.
Vulnerable software versionsIBM VM Recovery Manager DR: All versions
CPE2.3 External linkshttps://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-lodash-affects-ibm-vm-recovery-manager-dr-gui/
https://www.ibm.com/support/pages/node/6494365
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Command Injection
EUVDB-ID: #VU53202
Risk: Medium
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-23337
CWE-ID:
CWE-77 - Command injection
Exploit availability: No
DescriptionThe vulnerability allows a remote user to execute arbitrary commands on the system.
The vulnerability exists due to improper input validation when processing templates. A remote privileged user can inject and execute arbitrary commands on the system.
Install update from vendor's website.
Vulnerable software versionsIBM VM Recovery Manager DR: All versions
CPE2.3 External linkshttps://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-lodash-affects-ibm-vm-recovery-manager-dr-gui/
https://www.ibm.com/support/pages/node/6494365
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
