SB2023121802 - Multiple vulnerabilities in IBM Planning Analytics Workspace
Published: December 18, 2023 Updated: January 20, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 15 secuirty vulnerabilities.
1) Path traversal (CVE-ID: CVE-2022-48285)
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to insufficient sanitization of user-supplied in the loadAsync() method. A remote attacker can pass a specially crafted ZIP archive to the application and overwrite arbitrary files on the system.
2) Improper input validation (CVE-ID: CVE-2022-34169)
The vulnerability allows a remote non-authenticated attacker to compromise the affected system.
The vulnerability exists due to an integer truncation issue when processing malicious XSLT stylesheets. A remote non-authenticated attacker can pass specially crafted data to the application to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode.
3) Code Injection (CVE-ID: CVE-2023-29405)
The vulnerability allows a remote attacker to compromise the affected system.
command which builds untrusted code.A remote attacker can inject and execute arbitrary code on the target system at build time when using cgo.
4) Code Injection (CVE-ID: CVE-2023-29404)
The vulnerability allows a remote attacker to compromise the affected system.
command which builds untrusted code.A remote attacker can inject and execute arbitrary code on the target system at build time when using cgo.
5) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2023-29403)
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists within Go runtime due to application allows to execute setuid/setgid binaries without any restrictions. An attacker with ability to control the application flow can execute arbitrary code on the system with elevated privileges.
6) Code Injection (CVE-ID: CVE-2023-29402)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation within the cgo go command when building code that contains directories with newline characters in their names. A remote attacker can pass specially crafted input to the cgo command at build time and potentially compromise the system.
Modules which are retrieved using the go command, i.e. via "go get", are not affected (modules retrieved using GOPATH-mode, i.e. GO111MODULE=off, may be affected).
7) Incorrect default permissions (CVE-ID: CVE-2020-8908)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to incorrect default permissions for files located in the temporary directory set by the Guava com.google.common.io.Files.createTempDir(). A local user with access to the system can view contents of files and directories or modify them.
8) Incorrect default permissions (CVE-ID: CVE-2023-2976)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to incorrect default permissions in com.google.common.io.FileBackedOutputStream. A local user with access to the system can view contents of files and directories or modify them.
9) Resource exhaustion (CVE-ID: CVE-2023-34462)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources if no idle timeout handler was configured. A remote attacker can send a client hello packet, which leads the server to buffer up to 16MB of data per connection and results in a denial of service condition.
10) Reachable Assertion (CVE-ID: CVE-2021-31294)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to Redis allows a replica to cause an assertion failure in a primary server. A remote attacker can send a non-administrative command (specifically, a SET command) to perform a denial of service (DoS) attack.
11) Code Injection (CVE-ID: CVE-2022-24735)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation in the Lua script execution environment. A remote user can send a specially crafted request and execute arbitrary code on the target system with elevated privileges.
12) NULL pointer dereference (CVE-ID: CVE-2022-24736)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error. A remote attacker can use a specially crafted Lua script and perform a denial of service (DoS) attack.
13) Input validation error (CVE-ID: CVE-2022-24434)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can send a modified form to server, and crash the nodejs service. An attacker can sent the payload again and again so that the service continuously crashes.
14) Incorrect Regular Expression (CVE-ID: CVE-2022-25883)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient input validation when processing regular expressions. A remote attacker can pass specially crafted data to the application via the new Range function and perform regular expression denial of service (ReDos) attack.
15) Inefficient regular expression complexity (CVE-ID: CVE-2023-26115)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient input validation when processing untrusted input with a regular expressions. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.
Remediation
Install update from vendor's website.