SB2023110725 - Multiple vulnerabilities in IBM Cloud Pak System
Published: November 7, 2023
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 13 secuirty vulnerabilities.
1) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2022-41717)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to excessive memory growth when handling HTTP/2 server requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.
2) Code Injection (CVE-ID: CVE-2023-29404)
The vulnerability allows a remote attacker to compromise the affected system.
command which builds untrusted code.A remote attacker can inject and execute arbitrary code on the target system at build time when using cgo.
3) Cross-site scripting (CVE-ID: CVE-2023-29400)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data when processing HTML attributes. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
4) Resource exhaustion (CVE-ID: CVE-2022-41725)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper control over internal resources in net/http and mime/multipart. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
5) Code Injection (CVE-ID: CVE-2023-24540)
The vulnerability allows a remote attacker to execute arbitrary JavaScript code.
The vulnerability exists due to improper input validation when processing whitespace characters. A remote attacker can send a specially crafted request and execute arbitrary JavaScript code.
6) Incorrect calculation (CVE-ID: CVE-2023-24532)
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to the ScalarMult and ScalarBaseMult methods of the P256 Curve may return an incorrect result if called with some specific unreduced scalars.
7) Path traversal (CVE-ID: CVE-2022-41720)
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to the way os.DirFS function and http.Dir type handle empty values on Windows, allowing an attacker with control over the path to view arbitrary files on the system.
8) Improper Neutralization of HTTP Headers for Scripting Syntax (CVE-ID: CVE-2023-29406)
The vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to improper input validation in HTTP/1 client when handling HTTP Host header. A remote non-authenticated attacker can send a specially crafted HTTP request with a maliciously crafted Host header and inject additional headers or entire requests.
Successful exploitation of the vulnerability may allow an attacker to perform cross-site scripting, cache poisoning or session hijacking attacks.
9) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2023-29403)
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists within Go runtime due to application allows to execute setuid/setgid binaries without any restrictions. An attacker with ability to control the application flow can execute arbitrary code on the system with elevated privileges.
10) Resource exhaustion (CVE-ID: CVE-2023-24534)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when parsing HTTP and MIME headers in net/textproto. A remote attacker can cause an HTTP server to allocate large amounts of memory from a small request and perform a denial of service (DoS) attack.
11) Code Injection (CVE-ID: CVE-2023-29405)
The vulnerability allows a remote attacker to compromise the affected system.
command which builds untrusted code.A remote attacker can inject and execute arbitrary code on the target system at build time when using cgo.
12) Cross-site scripting (CVE-ID: CVE-2023-24539)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data when handling angle brackets in CSS context. A remote attacker can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
13) Code Injection (CVE-ID: CVE-2023-29402)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation within the cgo go command when building code that contains directories with newline characters in their names. A remote attacker can pass specially crafted input to the cgo command at build time and potentially compromise the system.
Modules which are retrieved using the go command, i.e. via "go get", are not affected (modules retrieved using GOPATH-mode, i.e. GO111MODULE=off, may be affected).
Remediation
Install update from vendor's website.