SB2022091209 - Multiple vulnerabilities in IBM Planning Analytics Workspace
Published: September 12, 2022 Updated: January 23, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 15 secuirty vulnerabilities.
1) Incorrect Regular Expression (CVE-ID: CVE-2021-27290)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to incorrect processing of SRIs. A remote attacker can pass specially crafted input to the application and perform regular expression denial of service (ReDoS) attack.
2) Incorrect permission assignment for critical resource (CVE-ID: CVE-2021-20526)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to a failure when setting the HTTPOnly flag. A remote attacker could exploit this vulnerability to obtain sensitive information from the cookie.
3) Prototype pollution (CVE-ID: CVE-2019-11358)
The vulnerability allows a remote attacker to execute arbitrary JavaScript code.
The vulnerability exists due to improper input validation. A remote attacker can pass specially crafted input to the application and perform prototype pollution, which can result in information disclosure or data manipulation.
4) Cross-site scripting (CVE-ID: CVE-2020-11023)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data when passing <option> elements to jQuery’s DOM manipulation methods. A remote attacker can execute arbitrary JavaScript code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
5) Cross-site scripting (CVE-ID: CVE-2020-11022)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in the regex operation in "jQuery.htmlPrefilter". A remote attacker can pass specially crafted data to the application that uses .html()</code>, <code>.append() or similar methods for it and execute arbitrary JavaScript code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
6) Missing Authorization (CVE-ID: CVE-2021-20066)
The vulnerability allows a remote attacker to manipulate local files.
The vulnerability exists due to JSDom improperly allows the loading of local resources. A remote attacker can manipulate local files using a malicious web page when script execution is enabled.
7) Absolute Path Traversal (CVE-ID: CVE-2021-32804)
The vulnerability allows a remote attacker to overwrite arbitrary files on the system.
The vulnerability exists due to a logic issue when file paths contained repeated path roots such as ////home/user/.bashrc. node-tar
would only strip a single path root from such paths. When given an
absolute file path with repeating path roots, the resulting path (e.g. ///home/user/.bashrc) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite.
8) Absolute Path Traversal (CVE-ID: CVE-2021-32803)
The vulnerability allows a remote attacker to overwrite arbitrary files on the system.
The vulnerability exists due to a logic issue when extracting tar files that contained both a directory
and a symlink with the same name as the directory. This order of
operations resulted in the directory being created and added to the node-tar
directory cache. When a directory is present in the directory cache,
subsequent calls to mkdir for that directory are skipped. However, this
is also where node-tar checks for symlinks occur.
By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass node-tar
symlink checks on directories, essentially allowing an untrusted tar
file to symlink into an arbitrary location and subsequently extracting
arbitrary files into that location, thus allowing arbitrary file
creation and overwrite.
9) Incorrect Regular Expression (CVE-ID: CVE-2021-23362)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient input validation when processing regular expression "shortcutMatch" in the "fromUrl" function. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.
10) Prototype pollution (CVE-ID: CVE-2020-7788)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to improper input validation when handling INI files. A remote attacker can pass a specially crafted INI file to the application and perform prototype pollution attacks.
11) Prototype pollution (CVE-ID: CVE-2020-7774)
The vulnerability allows a remote attacker to execute arbitrary JavaScript code.
The vulnerability exists due to improper input validation. A remote attacker can send a specially crafted request and execute arbitrary JavaScript code.
12) Prototype pollution (CVE-ID: CVE-2020-28458)
The vulnerability allows a remote attacker to execute arbitrary JavaScript code.
The vulnerability exists due to improper input validation. A remote attacker can pass specially crafted input to the application and perform prototype pollution, which can result in information disclosure or data manipulation.
13) Improper Certificate Validation (CVE-ID: CVE-2021-22939)
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to incomplete validation of rejectUnauthorized parameter. A remote attacker can cause the connections to servers with an expired certificate would have been accepted.
14) Improper input validation (CVE-ID: CVE-2021-22931)
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
The vulnerability exists due to improper input validation within the Cluster: General (Node.js) component in MySQL Cluster. A remote non-authenticated attacker can exploit this vulnerability to execute arbitrary code.
15) Incorrect Regular Expression (CVE-ID: CVE-2021-23343)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient input validation in splitDeviceRe, splitTailRe, and splitPathRe regular expressions. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.
Remediation
Install update from vendor's website.
References
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-planning-analytics-workspace-is-affected-by-security-vulnerabilities-12/"
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-planning-analytics-workspace-is-affected-by-security-vulnerabilities-12/</a><br>
- https://www.ibm.com/support/pages/node/6507095</p><p><br></p>