SB2023111725 - Multiple vulnerabilities in IBM Business Automation Manager Open Editions
Published: November 17, 2023
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 23 secuirty vulnerabilities.
1) Cross-site scripting (CVE-ID: CVE-2023-39319)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists within the html/template package caused by improperly applied rules for handling occurrences of "<script", "<!--", and "</script" within JS literals in <script> contexts. A remote attacker can pass specially crafted input to the application and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
2) Path traversal (CVE-ID: CVE-2023-32003)
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to a missing check in the fs.mkdtemp() API. A remote attacker can bypass the permission model check using a path traversal attack in fs.mkdtemp() and fs.mkdtempSync().
3) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2023-32005)
The vulnerability allows a remote user to gain access to sensitive information.
The vulnerability exists due to an inadequate permission model that fails to restrict file stats through the fs.statfs API. A remote user can retrieve stats from files that they do not have explicit read access to.
4) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2023-32559)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
5) Path traversal (CVE-ID: CVE-2023-32004)
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to improper handling of Buffers in file system APIs. A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system.
6) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2023-32002)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to improperly imposed security restrictions for the Module._load() method. A remote attacker can bypass the policy mechanism and include modules outside of the policy.json definition for a given module.
7) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2023-32006)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
8) Path traversal (CVE-ID: CVE-2023-32558)
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences within the deprecated API process.binding(). A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system.
9) Inefficient regular expression complexity (CVE-ID: CVE-2023-26115)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient input validation when processing untrusted input with a regular expressions. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.
10) Cross-site scripting (CVE-ID: CVE-2022-48345)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks via HTML entities.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
11) HTTP response splitting (CVE-ID: CVE-2023-27522)
The vulnerability allows a remote attacker to perform HTTP splitting attacks.
The vulnerability exists due to software does not correclty process CRLF character sequences in mod_proxy_uwsgi. A remote attacker can send specially crafted request containing CRLF sequence and make the application to send a split HTTP response.
Successful exploitation of the vulnerability may allow an attacker perform cache poisoning attack.
12) Resource exhaustion (CVE-ID: CVE-2023-43646)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when parsing malicious input. A remote attacker can trigger resource exhaustion when there is an imbalance in parentheses, which results in excessive backtracking and subsequently increases the CPU load and processing time significantly, and perform a denial of service (DoS) attack.
13) Improper Neutralization of HTTP Headers for Scripting Syntax (CVE-ID: CVE-2023-29406)
The vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to improper input validation in HTTP/1 client when handling HTTP Host header. A remote non-authenticated attacker can send a specially crafted HTTP request with a maliciously crafted Host header and inject additional headers or entire requests.
Successful exploitation of the vulnerability may allow an attacker to perform cross-site scripting, cache poisoning or session hijacking attacks.
14) Improper Certificate Validation (CVE-ID: CVE-2023-29409)
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to verifying certificate chains containing large RSA keys is slow. A remote attacker can cause a client/server to expend significant CPU time verifying signatures.
15) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2023-39533)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
16) Cross-site scripting (CVE-ID: CVE-2023-39318)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data within the html/template package when handling HMTL-like "<!--" and "-->" comment tokens, nor hashbang "#!" comment tokens, in <script> contexts. A remote attacker can pass specially crafted input to the application and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
17) Incorrect Regular Expression (CVE-ID: CVE-2022-25883)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient input validation when processing regular expressions. A remote attacker can pass specially crafted data to the application via the new Range function and perform regular expression denial of service (ReDos) attack.
18) Resource exhaustion (CVE-ID: CVE-2017-18214)
The vulnerability allows a remote unauthenticated attacker to cause DoS condition on the target system.The weakness exists due to resource exhaustion. A remote attacker can submit a specially crafted data string and cause the service to crash.
19) Resource exhaustion (CVE-ID: CVE-2023-42503)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when parsing .tar archives. A remote attacker can pass a specially crafted archive to the application and consume excessive CPU usage.
20) Buffer overflow (CVE-ID: CVE-2021-39275)
The vulnerability allows a remote attacker to execute arbitrary code on the target system or perform a denial of service attack.
The vulnerability exists due to a boundary error within the ap_escape_quotes() function. A remote attacker can send a specially crafted request to the web server, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system but requires that the Apache module passes untrusted data to the affected function.
According to vendor, No included modules pass untrusted data to these functions
21) Out-of-bounds read (CVE-ID: CVE-2021-36160)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary condition in the mod_proxy_uwsgi module in Apache HTTP Server. A remote attacker can send an HTTP request with specially crafted uri-path, trigger an out-of-bounds read and perform a denial of service (DoS) attack.
22) NULL pointer dereference (CVE-ID: CVE-2021-34798)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error. A remote attacker can send a specially crafted HTTP request to the affected web server and perform a denial of service (DoS) attack.
23) Incorrect default permissions (CVE-ID: CVE-2023-2976)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to incorrect default permissions in com.google.common.io.FileBackedOutputStream. A local user with access to the system can view contents of files and directories or modify them.
Remediation
Install update from vendor's website.