SB2023033019 - Multiple vulnerabilities in IBM Cloud Transformation Advisor 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2023033019

SB2023033019 - Multiple vulnerabilities in IBM Cloud Transformation Advisor

Published: March 30, 2023

Security Bulletin ID SB2023033019
Severity
Medium
Patch available
YES
Number of vulnerabilities 6
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 50% Low 50%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 6 secuirty vulnerabilities.


1) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2023-23918)

The vulnerability allows a remote user to bypass implemented security restrictions.

The vulnerability exists due to improperly imposed security restrictions within the process.mainModule.require() method. A remote user can access non authorized modules.


2) Memory corruption (CVE-ID: CVE-2017-18258)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists in the xz_head() function of the GNOME libxml2 library, as defined in the xzlib.c source code due to boundary error in the Lempel-Ziv-Markov (LZMA) decompression feature. A remote unauthenticated attacker can trick the victim into opening a specially crafted LZMA file that submits malicious input, trigger memory corruption and cause the application to crash.


3) Stack-based buffer overflow (CVE-ID: CVE-2017-9048)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists in the xmlSnprintfElementContent function of XMLSoft libxml2 due to improper bounds checking in the valid.c code. A remote attacker can send a specially crafted request, trigger stack-based buffer overflow condition and cause the service to crash.

Successful exploitation of the vulnerability results in denial of service.


4) Input validation error (CVE-ID: CVE-2022-32189)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input in
Float.GobDecode. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.


5) Resource exhaustion (CVE-ID: CVE-2022-36055)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to incorrect resource management within the strvals package, responsible for converting strings into Go structures. A remote attacker can pass specially crafted input to the application and consume all available memory on the system.


6) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2023-23920)

The vulnerability allows a remote user to gain access to sensitive information.

The vulnerability exists due to application insecurely loads ICU data through ICU_DATA environment variable with elevated privileges. A remote user can gain access to potentially sensitive information.


Remediation

Install update from vendor's website.

References