SB2023062014 - Multiple vulnerabilities in IBM Cloud Pak for Security (CP4S)
Published: June 20, 2023
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 5 secuirty vulnerabilities.
1) Uncaught Exception (CVE-ID: CVE-2022-41940)
The vulnerability allows a remote user to perform denial of service attacks.
The vulnerability exists due to an uncaught exception. A remote user can send specially crafted HTTP request to trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process.
2) Improper Check for Unusual or Exceptional Conditions (CVE-ID: CVE-2022-21676)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper error handling. A remote attacker can send specially crafted HTTP request to the application and perform a denial of service (DoS) attack.
3) Incorrect Comparison (CVE-ID: CVE-2021-34141)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to incomplete string comparison in the numpy.core component in NumPy. A remote attacker can pass specific string objects to the library and perform a denial of service (DoS) attack.
4) Race condition (CVE-ID: CVE-2022-24302)
The vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to a race condition in the write_private_key_file() function between creation and chmod operations. A local user can exploit the race and gain unauthorized access to sensitive information.
5) Insufficient verification of data authenticity (CVE-ID: CVE-2021-37533)
The vulnerability allows an attacker to redirect victim to a malicious host.
The vulnerability exists due to the application trusts the host from PASV response by default. A remote attacker can trick the victim into connecting to an attacker controlled FTP server and then redirect the application to another host.
Remediation
Install update from vendor's website.