SB2024052129 - Multiple vulnerabilities in IBM SAN Volume Controller and Storwize Family

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2024052129

SB2024052129 - Multiple vulnerabilities in IBM SAN Volume Controller and Storwize Family

Published: May 21, 2024

Security Bulletin ID SB2024052129
Severity
High
Patch available
YES
Number of vulnerabilities 7
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 86% Medium 14%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 7 secuirty vulnerabilities.


1) Input validation error (CVE-ID: CVE-2013-2251)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can pass specially crafted input to the application and execute arbitrary OGNL expressions via a parameter with a crafted (1) action:, (2) redirect:, or (3) redirectAction: prefix.


2) Input validation error (CVE-ID: CVE-2013-2248)

The vulnerability allows a remote attacker to perform redirect attacks.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can redirect users to arbitrary web sites and conduct phishing attacks via a URL in a parameter using the (1) redirect: or (2) redirectAction: prefix.


3) Code Injection (CVE-ID: CVE-2013-2135)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation. A remote attacker can send a specially crafted request and execute arbitrary OGNL code via a request with a crafted value that contains both "${}" and "%{}" sequences, which causes the OGNL code to be evaluated twice.


4) Code Injection (CVE-ID: CVE-2013-2134)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation. A remote attacker can execute arbitrary OGNL code via a request with a crafted action name that is not properly handled during wildcard matching


5) Code Injection (CVE-ID: CVE-2013-2115)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability occurs when a crafted request is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag. A remote attacker can send a specially crafted request and execute arbitrary code on the target system.


6) Code Injection (CVE-ID: CVE-2013-1966)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation. A remote attacker can execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag.


7) Improper Handling of Parameters (CVE-ID: CVE-2013-1965)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper handling of parameters. A remote unauthenticated attacker can trigger vulnerability and execute arbitrary OGNL code via a crafted parameter name.


Remediation

Install update from vendor's website.

References