SB2024050903 - Multiple vulnerabilities in IBM Cloudera Data Platform Private Cloud Base with IBM (CDP)

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2024050903

SB2024050903 - Multiple vulnerabilities in IBM Cloudera Data Platform Private Cloud Base with IBM (CDP)

Published: May 9, 2024

Security Bulletin ID SB2024050903
Severity
Medium
Patch available
YES
Number of vulnerabilities 6
Exploitation vector Remote access
Highest impact Information disclosure

Breakdown by Severity

Medium 83% Low 17%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 6 secuirty vulnerabilities.


1) Improper input validation (CVE-ID: CVE-2021-28170)

The vulnerability allows a remote non-authenticated attacker to manipulate data.

The vulnerability exists due to improper input validation within the Policy (Jakarta) component in Oracle Communications Cloud Native Core Policy. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.


2) Information disclosure (CVE-ID: CVE-2021-28163)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application. If the ${jetty.base} directory or the ${jetty.base}/webapps directory is a symlink, the contents of the ${jetty.base}/webapps directory may be deployed as a static web application, exposing the content of the directory for download.


3) Incorrect authorization (CVE-ID: CVE-2023-34035)

The vulnerability allows a remote attacker to bypass authorization process.

The vulnerability exists due to authorization rule misconfiguration if the application uses requestMatchers(String) or requestMatchers(HttpMethod, String) and multiple servlets, one of them being Spring MVC’s DispatcherServlet. A remote attacker can bypass authorization rules and gain unauthorized access to the application.


4) Improper input validation (CVE-ID: CVE-2020-27223)

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The vulnerability exists due to improper input validation within the General (Eclipse Jetty) component in Oracle REST Data Services. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.


5) XXE attack (CVE-ID: CVE-2017-15712)


The vulnerability allows a remote attacker to perform XXE attack.

The weakness exists due to constructing a workflow XML file containing XML directives. A remote attacker can obtain private files on the server process.

6) Security features bypass (CVE-ID: CVE-2023-20862)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to the logout support does not properly clean the security context if using serialized versions. A remote attacker can save an empty security context to the HttpSessionSecurityContextRepository and keep users authenticated even after they performed logout.


Remediation

Install update from vendor's website.

References