Main Vulnerability Database SB2024022205

SB2024022205 - Multiple vulnerabilities in IBM Rational Performance Tester

Published: February 22, 2024

Security Bulletin ID SB2024022205

Severity

Medium

Patch available

YES

Number of vulnerabilities 2

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Improper Authorization (CVE-ID: CVE-2023-41900)

The vulnerability allows a remote user to bypass implemented security restrictions.

The vulnerability exists due to an error in the revocation process. If a Jetty OpenIdAuthenticator uses the optional nested LoginService, and that LoginService decides to revoke an already authenticated user, then the current request will still treat the user as authenticated.

2) Input validation error (CVE-ID: CVE-2023-36479)

The vulnerability allows a remote user to compromise the affected system.

The vulnerability exists due to insufficient validation of user-supplied input in org.eclipse.jetty.servlets.CGI Servlet when quoting a command before its execution. A remote user can force the application to execute arbitrary file on the server and potentially compromise the system.

Remediation

Install update from vendor's website.

References

https://www.ibm.com/support/pages/node/7122432