SB2022091904 - Multiple vulnerabilities in Rational Application Developer for WebSphere Software

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2022091904

SB2022091904 - Multiple vulnerabilities in Rational Application Developer for WebSphere Software

Published: September 19, 2022

Security Bulletin ID SB2022091904
Severity
Medium
Patch available
YES
Number of vulnerabilities 4
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 75% Low 25%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 4 secuirty vulnerabilities.


1) Incorrect Regular Expression (CVE-ID: CVE-2021-23362)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing regular expression "shortcutMatch" in the "fromUrl" function. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.


2) Incorrect default permissions (CVE-ID: CVE-2021-22921)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists in Windows installer due to incorrect default permissions for files and folders that are set by the application. A local user with access to the system can view contents of files and directories or modify them.


3) Out-of-bounds read (CVE-ID: CVE-2021-22918)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition in uv__idna_toascii() function in libuv, which is used to convert strings to ASCII. A remote attacker can force the application to resolve a specially crafted hostname, trigger an out-of-bounds read error and gain access to sensitive information or perform a denial of service (DoS) attack.


4) Incorrect Regular Expression (CVE-ID: CVE-2021-27290)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to incorrect processing of SRIs. A remote attacker can pass specially crafted input to the application and perform regular expression denial of service (ReDoS) attack.


Remediation

Install update from vendor's website.

References