Security Bulletin: Vulnerability in Node.js affects IBM Voice Gateway
Discription

## Summary

Security Vulnerability in Node.js affects IBM Voice Gateway. The vulnerability has been addressed.

## Vulnerability Details

** CVEID: **[CVE-2023-23920]()
** DESCRIPTION: **Node.js could allow a remote authenticated attacker to bypass security restrictions, caused by improper access control. By sending a specially-crafted request using ICU_DATA environment variable, an attacker could exploit this vulnerability to search and potentially load ICU data.
CVSS Base score: 2.7
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/247694]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N)

** CVEID: **[CVE-2023-23919]()
** DESCRIPTION: **Node.js is vulnerable to a denial of service, caused by not clear the OpenSSL error stack after operations. By sending specially-crafted cryptographic operations, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.9
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/247697]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

** CVEID: **[CVE-2023-23918]()
** DESCRIPTION: **Node.js could allow a remote authenticated attacker to bypass security restrictions, caused by a flaw when enable the experimental permissions option with –experimental-policy. By sending a specially-crafted request using process.mainModule.require(), an attacker could exploit this vulnerability to bypass Permissions and access non authorized modules.
CVSS Base score: 6.5
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/247698]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N)

** CVEID: **[CVE-2023-24807]()
** DESCRIPTION: **Node.js is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in the Headers.set() and Headers.append() methods in the fetch API. By sending a specially-crafted regex input, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/247695]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

** CVEID: **[CVE-2023-23936]()
** DESCRIPTION: **Node.js is vulnerable to CRLF injection, caused by a flaw in the fetch API. By sending a specially-crafted HTTP response containing CRLF character sequences, a remote attacker could exploit this vulnerability to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning, session hijacking, HTTP response splitting or HTTP header injection.
CVSS Base score: 6.5
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/247696]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

## Affected Products and Versions

Affected Product(s)| Version(s)
—|—
Voice Gateway| 1.0.7
Voice Gateway| 1.0.6
Voice Gateway| 1.0.2.4
Voice Gateway| 1.0.4
Voice Gateway| 1.0.7.1
Voice Gateway| 1.0.2
Voice Gateway| 1.0.8
Voice Gateway| 1.0.5
Voice Gateway| 1.0.3

## Remediation/Fixes

IBM strongly suggests upgrading to the following IBM Voice Gateway 1.0.8.x images:

ibmcom/voice-gateway-mr:1.0.8.8
ibmcom/voice-gateway-tts-adapter:1.0.8.4
ibmcom/voice-gateway-stt-adapter:1.0.8.4

The above images can be found at the below links:[
]( “https://hub.docker.com/r/ibmcom/voice-gateway-so/tags” )[
]( “https://hub.docker.com/r/ibmcom/voice-gateway-so/tags” )[https://hub.docker.com/r/ibmcom/voice-gateway-tts-adapter/tags]( “https://hub.docker.com/r/ibmcom/voice-gateway-so/tags” )[
]( “https://hub.docker.com/r/ibmcom/voice-gateway-so/tags” )[https://hub.docker.com/r/ibmcom/voice-gateway-stt-adapter/tags]()[
]( “https://hub.docker.com/r/ibmcom/voice-gateway-so/tags” )

## Workarounds and Mitigations

None

##Read More

Back to Main

Subscribe for the latest news: