Security Bulletin: Multiple vulnerabilities present in IBM Answer Retrieval for Watson Discovery versions 2.10 and earlier
Discription

## Summary

This fix upgrades to nodejs 14.21.3.

## Vulnerability Details

** CVEID: **[CVE-2023-23918]()
** DESCRIPTION: **Node.js could allow a remote authenticated attacker to bypass security restrictions, caused by a flaw when enable the experimental permissions option with –experimental-policy. By sending a specially-crafted request using process.mainModule.require(), an attacker could exploit this vulnerability to bypass Permissions and access non authorized modules.
CVSS Base score: 6.5
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/247698]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N)

** CVEID: **[CVE-2023-23920]()
** DESCRIPTION: **Node.js could allow a remote authenticated attacker to bypass security restrictions, caused by improper access control. By sending a specially-crafted request using ICU_DATA environment variable, an attacker could exploit this vulnerability to search and potentially load ICU data.
CVSS Base score: 2.7
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/247694]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N)

** CVEID: **[CVE-2023-24807]()
** DESCRIPTION: **Node.js is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in the Headers.set() and Headers.append() methods in the fetch API. By sending a specially-crafted regex input, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/247695]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

** CVEID: **[CVE-2023-23936]()
** DESCRIPTION: **Node.js is vulnerable to CRLF injection, caused by a flaw in the fetch API. By sending a specially-crafted HTTP response containing CRLF character sequences, a remote attacker could exploit this vulnerability to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning, session hijacking, HTTP response splitting or HTTP header injection.
CVSS Base score: 6.5
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/247696]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

** CVEID: **[CVE-2023-23919]()
** DESCRIPTION: **Node.js is vulnerable to a denial of service, caused by not clear the OpenSSL error stack after operations. By sending specially-crafted cryptographic operations, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.9
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/247697]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

## Affected Products and Versions

Affected Product(s)| Version(s)
—|—
ICP – IBM Answer Retrieval for Watson Discovery| All

## Remediation/Fixes

**Product(s)**| **Version(s) number and/or range **| **Remediation/Fix/Instructions**
—|—|—
IBM Answer Retrieval for Watson Discovery| < 2.11.0| Download and install [v2.11.0]( “v2.11.0” )
Follow instructions in the downloaded package.

## Workarounds and Mitigations

N/A

##Read More

References

Back to Main
Subscribe for the latest news: