SB2023020231 - Multiple vulnerabilities in IBM Process Mining

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2023020231

SB2023020231 - Multiple vulnerabilities in IBM Process Mining

Published: February 2, 2023

Security Bulletin ID SB2023020231
Severity
High
Patch available
YES
Number of vulnerabilities 6
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 17% Medium 83%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 6 secuirty vulnerabilities.


1) Resource exhaustion (CVE-ID: CVE-2019-1010266)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to the software does not properly parse user-supplied input in the Date Handler component. A remote authenticated attacker can send long strings that submit malicious input, which the library attempts to match using a regular expression and consume excessive amounts of CPU resources and cause a DoS condition.


2) Code Injection (CVE-ID: CVE-2019-10744)

The vulnerability allows a remote attacker to modify properties on the target system.

The vulnerability exists due to improper input validation in the "defaultsDeep" function. A remote attacker can send a specially crafted request and modify the prototype of "Object" via "{constructor: {prototype: {...}}}" causing the addition or modification of an existing property that will exist on all objects.



3) Prototype polution (CVE-ID: CVE-2020-8203)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data when using _.zipObjectDeep in lodash. A remote attacker can inject and execute arbitrary script code.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.


4) Prototype pollution (CVE-ID: CVE-2018-16487)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation within the merge, mergeWith, and defaultsDeep functions. A remote attacker can send a specially crafted request and add or modify properties of Object.prototype.

Successful exploitation of this vulnerability may result in complete compromise of the affected application.


5) Command Injection (CVE-ID: CVE-2021-23337)

The vulnerability allows a remote user to execute arbitrary commands on the system.

The vulnerability exists due to improper input validation when processing templates. A remote privileged user can inject and execute arbitrary commands on the system.


6) Input validation error (CVE-ID: CVE-2018-3721)

The vulnerability allows a remote authenticated user to manipulate data.

lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all objects.


Remediation

Install update from vendor's website.

References