SB2023112014 - Multiple vulnerabilities in IBM Cloud Pak for Business Automation
Published: November 20, 2023 Updated: February 21, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 41 secuirty vulnerabilities.
1) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2023-2454)
The vulnerability allows a remote user to execute arbitrary code on the system.
The vulnerability exists due to improperly imposed security restrictions. A remote database user with CREATE privilege can bypass protective search_path changes via "CREATE SCHEMA ... schema_element" command and execute arbitrary code on the system.
2) Cross-site request forgery (CVE-ID: CVE-2023-40336)
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin. A remote user can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
3) Cross-site request forgery (CVE-ID: CVE-2023-40337)
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
4) Path traversal (CVE-ID: CVE-2023-40338)
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to the affected plugin displays an error message that includes an absolute path of a log file when attempting to access the Scan Organization Folder Log if no logs are available. A remote user can send a specially crafted HTTP request and read arbitrary files on the system.
5) Information disclosure (CVE-ID: CVE-2023-40339)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to improper masking of credentials. A remote user can gain unauthorized access to sensitive information on the system.
6) Session Fixation (CVE-ID: CVE-2022-25896)
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to the session is regenerated instead of being closed when a user logs in or logs out. A remote attacker can gain access to the session.
7) Improper Authorization (CVE-ID: CVE-2023-41900)
The vulnerability allows a remote user to bypass implemented security restrictions.
The vulnerability exists due to an error in the revocation process. If a Jetty OpenIdAuthenticator uses the optional nested LoginService, and that LoginService decides to revoke an already authenticated user, then the current request will still treat the user as authenticated.
8) Deserialization of Untrusted Data (CVE-ID: CVE-2023-39410)
The vulnerability allows a remote attacker to perform a denial of service attack.
The vulnerability exists due to reader can consume memory beyond the allowed constraints and thus lead to out of memory on the system, when deserializing untrusted or corrupted data. A remote attacker can pass specially crafted data to the application and perform a denial of service attack.
9) Cross-site scripting (CVE-ID: CVE-2023-40684)
The disclosed vulnerability allows a remote user to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. The vulnerability allows remote user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
10) Security features bypass (CVE-ID: CVE-2023-2455)
The vulnerability allows a remote user to bypass implemented security restrictions.
The vulnerability exists due to incomplete fix for #VU40402 (CVE-2016-2193) that did not anticipate a scenario involving function inlining. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications.
This affects only databases that have used CREATE POLICY to define a row security policy.
11) Buffer Over-read (CVE-ID: CVE-2019-17595)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to heap-based buffer over-read issue in the "fmt_entry" function in "tinfo/comp_hash.c" in the terminfo library. A remote attacker can trigger a buffer over-read condition and cause a denial of service condition on the target system.12) Memory leak (CVE-ID: CVE-2023-2602)
The vulnerability allows a remote attacker to perform DoS attack on the target system.
The vulnerability exists due memory leak in the error handling in the __wrap_pthread_create() function. A remote attacker can send a specially crafted request, exploit vulnerability to exhaust the process memory and cause a denial of service condition.
13) PHP file inclusion (CVE-ID: CVE-2023-2603)
The vulnerability allows a remote attacker to include and execute arbitrary PHP files on the server.
The vulnerability exists due to incorrect input validation when including PHP files in web/ajax/modal.php. A remote non-authenticated attacker can send a specially crafted HTTP request to the affected application, include and execute arbitrary PHP code on the system with privileges of the web server.
14) Resource exhaustion (CVE-ID: CVE-2023-2828)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can cause the amount of memory used by a named resolver to go well beyond the configured max-cache-size limit. The effectiveness of the attack depends on a number of factors (e.g. query load, query patterns), but since the default value of the max-cache-size statement is 90%, in the worst case the attacker can exhaust all available memory on the host running named, leading to a denial-of-service condition.
15) State Issues (CVE-ID: CVE-2023-27536)
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to cURL will reuse a previously created connection even when the GSS delegation (CURLOPT_GSSAPI_DELEGATION) option had been changed that could have changed the user's permissions in a second transfer. libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, this GSS delegation setting was left out from the configuration match checks, making them match too easily, affecting krb5/kerberos/negotiate/GSSAPI transfers.
16) Improper certificate validation (CVE-ID: CVE-2023-28321)
The vulnerability allows a remote attacker to perform MitM attack.
The vulnerability exists due to improper certificate validation when matching wildcards in TLS certificates for IDN names. A remote attacker crate a specially crafted certificate that will be considered trusted by the library.
Successful exploitation of the vulnerability requires that curl is built to use OpenSSL, Schannel or Gskit.
17) NULL pointer dereference (CVE-ID: CVE-2023-28484)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error in xmlSchemaFixupComplexType. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.
18) Resource management error (CVE-ID: CVE-2023-29469)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources when working with hashes of empty dict strings. A remote attacker can and perform a denial of service (DoS) attack.
19) Improper input validation (CVE-ID: CVE-2023-22045)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
The vulnerability exists due to improper input validation within the Hotspot component in Oracle GraalVM for JDK. A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.
20) Improper input validation (CVE-ID: CVE-2023-22049)
The vulnerability allows a remote non-authenticated attacker to manipulate data.
The vulnerability exists due to improper input validation within the Libraries component in Oracle GraalVM for JDK. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.
21) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2023-32002)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to improperly imposed security restrictions for the Module._load() method. A remote attacker can bypass the policy mechanism and include modules outside of the policy.json definition for a given module.
22) Heap-based buffer overflow (CVE-ID: CVE-2019-17594)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in the "_nc_find_entry" function in "tinfo/comp_hash.c" in the terminfo library. A remote attacker can trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
23) Code Injection (CVE-ID: CVE-2023-29405)
The vulnerability allows a remote attacker to compromise the affected system.
command which builds untrusted code.A remote attacker can inject and execute arbitrary code on the target system at build time when using cgo.
24) Information disclosure (CVE-ID: CVE-2023-32681)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. A remote attacker can gain unauthorized access to sensitive information on the system.
25) Buffer overflow (CVE-ID: CVE-2023-29491)
The vulnerability allows a local user to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing malformed data in a terminfo database file. A local user can trigger memory corruption and execute arbitrary code on the target system.
26) Stack-based buffer overflow (CVE-ID: CVE-2023-31419)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error within the _search API. A remote attacker can pass specially crafted data to the application, trigger a stack buffer overflow and perform a denial of service (DoS) attack.
27) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2023-40167)
The vulnerability allows a remote attacker to perform HTTP request smuggling attacks.
The vulnerability exists due to improper validation of HTTP requests when handling the "+" character passed via the HTTP/1 header field. A remote attacker can send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.
Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks.
28) Code Injection (CVE-ID: CVE-2023-29402)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation within the cgo go command when building code that contains directories with newline characters in their names. A remote attacker can pass specially crafted input to the cgo command at build time and potentially compromise the system.
Modules which are retrieved using the go command, i.e. via "go get", are not affected (modules retrieved using GOPATH-mode, i.e. GO111MODULE=off, may be affected).
29) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2023-29403)
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists within Go runtime due to application allows to execute setuid/setgid binaries without any restrictions. An attacker with ability to control the application flow can execute arbitrary code on the system with elevated privileges.
30) Code Injection (CVE-ID: CVE-2023-29404)
The vulnerability allows a remote attacker to compromise the affected system.
command which builds untrusted code.A remote attacker can inject and execute arbitrary code on the target system at build time when using cgo.
31) Resource exhaustion (CVE-ID: CVE-2023-42503)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when parsing .tar archives. A remote attacker can pass a specially crafted archive to the application and consume excessive CPU usage.
32) Insufficient verification of data authenticity (CVE-ID: CVE-2023-37920)
The vulnerability allows a remote attacker to perform MitM attack.
The vulnerability exist due to software recognizes "e-Tugra" root certificates, which were subject to an investigation prompted by reporting of security issues in their systems. An attacker with ability to generate certificates signed with the compromised "e-Tugra" root certificate can perform MitM attack.
33) Use of a broken or risky cryptographic algorithm (CVE-ID: CVE-2022-23541)
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to insecure implementation of key retrieval function. A remote user attacker can cause successful validation of forged tokens.
34) Use of a broken or risky cryptographic algorithm (CVE-ID: CVE-2022-23539)
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to insecure key types are used for signature verification. A remote user can enable legacy keys usage.
35) Input validation error (CVE-ID: CVE-2022-23529)
The vulnerability allows a remote attacker to execute arbitrary code on the system.
The vulnerability exists due to insufficient validation of user-supplied input in jwt.verify function. A remote attacker can pass specially crafted input to the application and execute arbitrary code on the target system.
36) Use of a broken or risky cryptographic algorithm (CVE-ID: CVE-2022-23540)
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to insecure default algorithm in jwt.verify(). A remote attacker can cause signature validation bypass.
37) Out-of-bounds read (CVE-ID: CVE-2022-29458)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition in convert_strings in tinfo/read_entry.c in the terminfo library. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger out-of-bounds read error and read contents of memory on the system.
38) Heap-based buffer overflow (CVE-ID: CVE-2023-38545)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in the SOCKS5 proxy handshake. A remote attacker can trick the victim to visit a malicious website, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system but requires that SOCKS5 proxy is used and that SOCKS5 handshake is slow (e.g. under heavy load or DoS attack).
39) Improper Certificate Validation (CVE-ID: CVE-2023-1409)
The vulnerability allows a remote attacker to modify data on the system.
The vulnerability exists if the MongoDB Server running on Windows or macOS is configured to use TLS with a specific set of configuration options that are already known to work securely in other platforms (e.g. Linux). A remote attacker can exploit vulnerability to modify data on the system.
40) CRLF injection (CVE-ID: CVE-2019-11236)
The vulnerability allows a remote attacker to perform a spoofing attack.
The vulnerability exists due to insufficient filtration of user-supplied data passed via HTTP request parameters to urllib3 library. A remote attacker can pass specially crafted data that contains CRLF sequences and perform a spoofing attack.
41) CRLF injection (CVE-ID: CVE-2020-26137)
The vulnerability allows a remote attacker to inject arbitrary data in server response.
The vulnerability exists due to insufficient validation of attacker-supplied data passed via the "method" parameter. A remote authenticated attacker can pass specially crafted data to the application containing CR-LF characters and modify application behavior.
Remediation
Install update from vendor's website.