SB2024051714 - Multiple vulnerabilities in IBM i Modernization Engine for Lifecycle Integration
Published: May 17, 2024
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 15 secuirty vulnerabilities.
1) Path traversal (CVE-ID: CVE-2022-24785)
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences within the npm version of Moment.js. A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system.
2) Input validation error (CVE-ID: CVE-2024-21742)
The vulnerability allows a remote attacker to manipulate MIME headers.
The vulnerability exists due to insufficient validation of user-supplied input when using MIME4J DOM for composing message. A remote attacker can manipulate headers inside a MIME message.
3) Resource exhaustion (CVE-ID: CVE-2021-44906)
The vulnerability allows a remote attacker to escalate privileges on the system.
The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can trick the library into adding or modifying the properties of Object.prototype, using a constructor or __proto__ payload, resulting in prototype pollution and loss of confidentiality, availability, and integrity.
4) OS Command Injection (CVE-ID: CVE-2022-24433)
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to an argument injection in the .fetch(remote, branch, handlerFn) function. A remote unauthenticated attacker can pass specially crafted data to the application and execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
5) OS Command Injection (CVE-ID: CVE-2022-25912)
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists when enabling the ext transport protocol, which makes it exploitable via clone() method. A remote unauthenticated attacker can pass specially crafted data to the application and execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
6) Improper Neutralization of Argument Delimiters in a Command (CVE-ID: CVE-2022-24066)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to an incomplete fix of [CVE-2022-24433] which only patches against the git fetch attack vector. A remote unauthenticated attacker can trigger the vulnerability and execute arbitrary code on the target system.
7) Incorrect Regular Expression (CVE-ID: CVE-2022-3517)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient input validation when processing regular expressions. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.
8) Incorrect Regular Expression (CVE-ID: CVE-2022-25883)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient input validation when processing regular expressions. A remote attacker can pass specially crafted data to the application via the new Range function and perform regular expression denial of service (ReDos) attack.
9) Incorrect Regular Expression (CVE-ID: CVE-2022-31129)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper validation of user-supplied input when parsing overly long strings. A remote attacker can pass a string that contains more that 10k characters and perform regular expression denial of service (ReDoS) attack.
10) Resource exhaustion (CVE-ID: CVE-2021-3749)
The vulnerability allows a remote attacker to perform a regular expression denial of service (ReDoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources within the isURLSearchParams function in utils.js. A remote attacker can send specially crafted data to the application and perform regular expression denial of service (ReDoS) attack.
11) Cross-site request forgery (CVE-ID: CVE-2023-45857)
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
12) Open redirect (CVE-ID: CVE-2023-26159)
The vulnerability allows a remote attacker to redirect victims to arbitrary URL.
The vulnerability exists due to improper sanitization of user-supplied data within the url.parse() function. A remote attacker can create a link that leads to a trusted website, however, when clicked, redirects the victim to arbitrary domain.
Successful exploitation of this vulnerability may allow a remote attacker to perform a phishing attack and steal potentially sensitive information.
13) Information disclosure (CVE-ID: CVE-2022-0155)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application. A remote attacker can gain unauthorized access to sensitive information on the system.
14) Information disclosure (CVE-ID: CVE-2022-0536)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application. A remote attacker can gain unauthorized access to sensitive information on the system.
15) Information disclosure (CVE-ID: CVE-2024-28849)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to credentials are shared via headers when following cross-domain redirects. A remote attacker can gain access to sensitive information.
Remediation
Install update from vendor's website.