Multiple vulnerabilities in IBM Event Streams

1) Improper input validation

EUVDB-ID: #VU55164

Risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-29582

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The vulnerability exists due to improper input validation within the Signaling (Calico) component in Oracle Communications Cloud Native Core Network Slice Selection Function. A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Event Streams: before 11.4.0

CPE2.3

External links

http://www.ibm.com/support/pages/node/7158615

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Security features bypass

EUVDB-ID: #VU60367

Risk: Medium

CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-24329

CWE-ID: CWE-254 - Security Features

Exploit availability: No

Description

The vulnerability allows a remote user to bypass certain security restrictions.

The vulnerability exists due to unspecified error, related to the ability to lock dependencies for Kotlin Multiplatform Gradle projects.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Event Streams: before 11.4.0

CPE2.3

External links

http://www.ibm.com/support/pages/node/7158615

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.