SB2023103043 - Multiple vulnerabilities in IBM Robotic Process Automation for Cloud Pak

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2023103043

SB2023103043 - Multiple vulnerabilities in IBM Robotic Process Automation for Cloud Pak

Published: October 30, 2023

Security Bulletin ID SB2023103043
Severity
Medium
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 67% Low 33%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 secuirty vulnerabilities.


1) Resource exhaustion (CVE-ID: CVE-2019-11254)

The vulnerability allows a remote authenticated user to perform a denial of service (DoS) attack.

The Kubernetes API Server component in versions 1.1-1.14, and versions prior to 1.15.10, 1.16.7 and 1.17.3 allows an authorized user who sends malicious YAML payloads to cause the kube-apiserver to consume excessive CPU cycles while parsing YAML.


2) Inclusion of Sensitive Information in Log Files (CVE-ID: CVE-2020-8565)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to authorization and bearer tokens will be written to log files if the logging level is set to at least 9. A local user can read the log files and gain access to sensitive data.


3) Infinite loop (CVE-ID: CVE-2020-14040)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.


Remediation

Install update from vendor's website.

References