SB2021122243 - Multiple vulnerabilities in IBM Cloud Automation Manager 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2021122243

SB2021122243 - Multiple vulnerabilities in IBM Cloud Automation Manager

Published: December 22, 2021 Updated: June 2, 2023

Security Bulletin ID SB2021122243
Severity
Medium
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Medium 50% Low 50%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.


1) Improper Interaction Between Multiple Correctly-Behaving Entities (CVE-ID: CVE-2021-21366)

The vulnerability allows a remote attacker to gain access to the system.

The vulnerability exists due to xmldom do not correctly preserve system identifiers, FPIs or namespaces when repeatedly parsing and serializing maliciously crafted documents. A remote attacker can send a specially crafted file and make syntactic changes during XML processing in some downstream applications.


2) Prototype pollution (CVE-ID: CVE-2021-21368)

The vulnerability allows a remote user to execute arbitrary JavaScript code.

The vulnerability occrures when msgpack5 decodes a map containing a key "__proto__", it assigns the decoded value to __proto__. Object.prototype.__proto__ is an accessor property for the receiver's prototype. A remote user can pass specially crafted input to the application and perform prototype pollution, which can result in information disclosure or data manipulation.


Remediation

Install update from vendor's website.

References