SB2024040817 - Multiple vulnerabilities in IBM Storage Defender - Resiliency Service

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Cross-site scripting (CVE-ID: CVE-2024-22195)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data within the xmlattr filter. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

2) NULL pointer dereference (CVE-ID: CVE-2024-26130)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error within pkcs12.serialize_key_and_certificates when called with a non-matching certificate and private key and an hmac_hash override. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.

3) Observable discrepancy (CVE-ID: CVE-2023-50782)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application. A remote attacker can decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.

Remediation

Install update from vendor's website.

References

• https://www.ibm.com/support/pages/node/7129823