SB2024052414 - Multiple vulnerabilities in IBM Cloud Pak for Network Automation

Description

This security bulletin contains information about 29 secuirty vulnerabilities.

1) Cross-site scripting (CVE-ID: CVE-2018-20677)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists in the affix configuration target property due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

2) Input validation error (CVE-ID: CVE-2023-39323)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to insufficient validation of user-supplied input when processing line directives (e.g. "//line") in the code. A remote attacker can bypass restrictions on "//go:cgo_" directives, allowing blocked linker and compiler flags to be passed during compilation. This can result in unexpected execution of arbitrary code when running "go build".

3) Information disclosure (CVE-ID: CVE-2024-24758)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the application does not clear the Proxy-Authentication HTTP header when handling cross-origin redirects. A remote attacker can gain access to sensitive information.

4) Resource exhaustion (CVE-ID: CVE-2024-22201)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when handling HTTP/2 connections. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

5) Out-of-bounds read (CVE-ID: CVE-2023-39615)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary condition within the xmlSAX2StartElement() function in /libxml2/SAX2.c. A remote attacker can pass specially crafted XML input to the application, trigger an out-of-bounds read error and perform a denial of service (DoS) attack.

6) Code Injection (CVE-ID: CVE-2023-50447)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation within the PIL.ImageMath.eval function. A remote attacker can send a specially crafted input to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

7) Integer overflow (CVE-ID: CVE-2023-36478)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to integer overflow in MetaDataBuilder.checkSize when handling HTTP/2 HPACK header values. A remote attacker can send specially crafted request to the server, trigger an integer overflow and crash the server.

8) Input validation error (CVE-ID: CVE-2023-36479)

The vulnerability allows a remote user to compromise the affected system.

The vulnerability exists due to insufficient validation of user-supplied input in org.eclipse.jetty.servlets.CGI Servlet when quoting a command before its execution. A remote user can force the application to execute arbitrary file on the server and potentially compromise the system.

9) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2023-40167)

The vulnerability allows a remote attacker to perform HTTP request smuggling attacks.

The vulnerability exists due to improper validation of HTTP requests when handling the "+" character passed via the HTTP/1 header field. A remote attacker can send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.

Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks.

10) Improper Authorization (CVE-ID: CVE-2023-41900)

The vulnerability allows a remote user to bypass implemented security restrictions.

The vulnerability exists due to an error in the revocation process. If a Jetty OpenIdAuthenticator uses the optional nested LoginService, and that LoginService decides to revoke an already authenticated user, then the current request will still treat the user as authenticated.

11) Resource exhaustion (CVE-ID: CVE-2024-27088)

The vulnerability allows a local privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources. A local privileged user can pass functions with very long names or complex default argument names into `function#copy` or `function#toStringTokens` and perform a denial of service (DoS) attack.

12) Cross-site scripting (CVE-ID: CVE-2016-10735)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data passed via the "data-target" attribute. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

13) Cross-site scripting (CVE-ID: CVE-2018-14040)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists in the data-parent attribute of the collapse plugin due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

14) Cross-site scripting (CVE-ID: CVE-2018-14042)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists in the data-container property of the tooltip plugin due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

15) Cross-site scripting (CVE-ID: CVE-2018-20676)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists in the tooltip data-viewport attribute due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

16) Use-after-free (CVE-ID: CVE-2019-13224)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the onig_new_deluxe() function in regext.c in Oniguruma library when processing regular expressions. A remote attacker can pass specially crafted input to the application using the vulnerable library version, trigger use-after-free error and perform denial of service attack or execute arbitrary code on the system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

17) Resource exhaustion (CVE-ID: CVE-2019-16163)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

Oniguruma before 6.9.3 allows Stack Exhaustion in regcomp.c because of recursion in regparse.c.

18) Integer overflow (CVE-ID: CVE-2019-19012)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to integer overflow in the "search_in_range" function in "regexec.c". A remote attacker can use a specially crafted regular expression, trigger out-of-bounds read and cause a denial-of-service or information disclosure on the target system.

19) Buffer Over-read (CVE-ID: CVE-2019-19203)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists in the "gb18030_mbc_enc_len" function in "gb18030.c" file due to the UChar pointer is dereferenced without checking if it passed the end of the matched string. A remote attacker can cause a denial of service condition on the target system.

20) Buffer Over-read (CVE-ID: CVE-2019-19204)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists in the "fetch_interval_quantifier" function (formerly known as fetch_range_quantifier) in "regparse.c" file due to the PFETCH is called without checking PEND. A remote attacker can cause a denial of service condition on the target system.

21) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2023-42282)

The disclosed vulnerability allows a remote attacker to perform SSRF attacks.

The vulnerability exists due to insufficient validation of user-supplied input within the isPublic() function. A remote attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.

Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.

22) Out-of-bounds read (CVE-ID: CVE-2023-31122)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary condition within mod_macro module. A remote attacker can send specially crafted requests to the server, trigger an out-of-bounds read error and perform a denial of service (DoS) attack.

23) Resource exhaustion (CVE-ID: CVE-2023-6481)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources in logback receiver component. A remote attacker can send send poisoned data, trigger resource exhaustion and perform a denial of service (DoS) attack.

24) Input validation error (CVE-ID: CVE-2023-34053)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input in Web Observations. A remote attacker can send specially crafted HTTP requests to the application and perform a denial of service (DoS) attack.

25) Deserialization of Untrusted Data (CVE-ID: CVE-2023-6378)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insecure input validation when processing serialized data in logback receiver component. A remote attacker can pass specially crafted data to the application and cause a denial of service condition on the target system.

26) Out-of-bounds read (CVE-ID: CVE-2020-28241)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to heap-based buffer over-read in dump_entry_data_list in maxminddb.c. A remote attacker can perform a denial of service attack.

27) Reachable Assertion (CVE-ID: CVE-2024-0567)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a reachable assertion when verifying a certificate chain with a cycle of cross signatures. A remote attacker can pass a specially crafted certificate to the application and perform a denial of service (DoS) attack.

28) Information Exposure Through Timing Discrepancy (CVE-ID: CVE-2024-0553)

The vulnerability allows a remote attacker to perform timing attack.

The vulnerability exists due to the response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding. A remote attacker can perform timing sidechannel attack in RSA-PSK key exchange.

Note, the vulnerability exists due to incomplete fox for #VU83316 (CVE-2023-5981).

29) Input validation error (CVE-ID: CVE-2023-34055)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input in Web Observations. A remote attacker can send specially crafted HTTP requests to the application and perform a denial of service (DoS) attack.

Successful exploitation of the vulnerability requires that application is using Spring MVC or Spring WebFlux and that org.springframework.boot:spring-boot-actuator is on the classpath.

Remediation

Install update from vendor's website.

References

• https://www.ibm.com/support/pages/node/7149320