Site icon API Security Blog

Security Bulletin: Open Source Dependency Vulnerability

## Summary

IBM Edge Application Manager 4.5 has resolved the vulnerability.

## Vulnerability Details

** CVEID: **[CVE-2020-25864]()
** DESCRIPTION: **HashiCorp Consul is vulnerable to cross-site scripting, caused by improper validation of user-supplied input of the key-value store by the KV API. A remote attacker could exploit this vulnerability using the raw parameter to inject malicious script into a Web page which would be executed in a victim’s Web browser once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/200493]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

** CVEID: **[CVE-2020-26160]()
** DESCRIPTION: **jwt-go could allow a remote attacker to bypass security restrictions, caused by a type assertion failure when m[“aud”] happens to be []string{}. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass access restrictions.
CVSS Base score: 7.5
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/189408]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

** CVEID: **[CVE-2022-29526]()
** DESCRIPTION: **Golang Go could allow a remote attacker to obtain sensitive information, caused by a flaw in the Faccessat function when called with a non-zero flags parameter. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain accessible file information, and use this information to launch further attacks against the affected system.
CVSS Base score: 5.3
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/229593]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

** CVEID: **[CVE-2021-38698]()
** DESCRIPTION: **HashiCorp Consul and Consul Enterprise could allow a remote authenticated attacker to obtain sensitive information, caused by improper permission validation when registering a proxy for any other service. By sending a specially-crafted request, an attacker could exploit this vulnerability to gain access to service traffic information, and use this information to launch further attacks against the affected system.
CVSS Base score: 6.5
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/208813]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

** CVEID: **[CVE-2018-19653]()
** DESCRIPTION: **HashiCorp Consul could allow a remote attacker to obtain sensitive information, caused by the use of cleartext in agent-to-agent RPC communication channel. By sniffing the network traffic, a remote attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base score: 5.3
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/154105]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

** CVEID: **[CVE-2021-44716]()
** DESCRIPTION: **Golang Go is vulnerable to a denial of service, caused by an uncontrolled memory consumption in the header canonicalization cache in net/http. By sending HTTP/2 requests, a remote attacker could exploit this vulnerability to consume all available memory resources.
CVSS Base score: 7.5
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/216553]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

** CVEID: **[CVE-2020-14040]()
** DESCRIPTION: **Go Language x/text package is vulnerable to a denial of service, caused by a vulnerability in encoding/unicode in the UTF-16 decoder. By sending a single byte to a UTF16 decoder, a remote attacker could exploit this vulnerability to cause the application to enter into an infinite loop.
CVSS Base score: 7.5
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/184313]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

** CVEID: **[CVE-2022-24687]()
** DESCRIPTION: **HashiCorp Consul and HashiCorp Consul Enterprise is vulnerable to a denial of service, caused by uncontrolled resource consumption. By registering a specifically-defined service, a remote authenticated attacker could exploit this vulnerability to cause a panic.
CVSS Base score: 6.5
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/220474]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

** CVEID: **[CVE-2022-29153]()
** DESCRIPTION: **HashiCorp Consul and HashiCorp Consul Enterprise is vulnerable to server-side request forgery, caused by returning an HTTP redirect in the HTTP health check endpoints. By using a specially-crafted argument, an attacker could exploit this vulnerability to conduct an SSRF attack, allowing the attacker to access or manipulate resources from the perspective of the affected server.
CVSS Base score: 7.5
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224817]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

** CVEID: **[CVE-2020-7219]()
** DESCRIPTION: **HashiCorp Consul and Consul Enterprise is vulnerable to a denial of service, caused by a flaw in the HTTP/RPC services. A remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 5.3
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/175518]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

## Affected Products and Versions

Affected Product(s)| Version(s)
—|—
IBM Edge Application Manager| 4.4
IBM Edge Application Manager| 4.3

## Remediation/Fixes

The fix/upgrade is a set of docker images, that will automatically be pulled and deployed from both dockerhub and the IBM Entitled Registry.

## Workarounds and Mitigations

None

##Read More

Exit mobile version