SB2023011903 - Multiple vulnerabilities in IBM Engineering Requirements Quality Assistant On-Premises

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2023011903

SB2023011903 - Multiple vulnerabilities in IBM Engineering Requirements Quality Assistant On-Premises

Published: January 19, 2023

Security Bulletin ID SB2023011903
Severity
High
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 33% Medium 67%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 secuirty vulnerabilities.


1) Improper Certificate Validation (CVE-ID: CVE-2021-22939)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to incomplete validation of rejectUnauthorized parameter. A remote attacker can cause the connections to servers with an expired certificate would have been accepted.


2) Improper input validation (CVE-ID: CVE-2021-22931)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

The vulnerability exists due to improper input validation within the Cluster: General (Node.js) component in MySQL Cluster. A remote non-authenticated attacker can exploit this vulnerability to execute arbitrary code.


3) Prototype pollution (CVE-ID: CVE-2020-7598)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can inject and execute arbitrary script code.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.


Remediation

Install update from vendor's website.

References