## Summary
IBM Planning Analytics Workspace is affected by vulnerabilities. Node.js is an open-source and cross-platform JavaScript runtime environment (CVE-2023-23918, CVE-2023-23920, CVE-2023-24807, CVE-2023-23936, CVE-2023-23919). Node.js has been upgraded in IBM Planning Analytics Workspace to address these vulnerabilities.
## Vulnerability Details
** CVEID: **[CVE-2023-23918]()
** DESCRIPTION: **Node.js could allow a remote authenticated attacker to bypass security restrictions, caused by a flaw when enable the experimental permissions option with –experimental-policy. By sending a specially-crafted request using process.mainModule.require(), an attacker could exploit this vulnerability to bypass Permissions and access non authorized modules.
CVSS Base score: 6.5
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/247698]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N)
** CVEID: **[CVE-2023-23920]()
** DESCRIPTION: **Node.js could allow a remote authenticated attacker to bypass security restrictions, caused by improper access control. By sending a specially-crafted request using ICU_DATA environment variable, an attacker could exploit this vulnerability to search and potentially load ICU data.
CVSS Base score: 2.7
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/247694]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N)
** CVEID: **[CVE-2023-24807]()
** DESCRIPTION: **Node.js is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in the Headers.set() and Headers.append() methods in the fetch API. By sending a specially-crafted regex input, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/247695]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
** CVEID: **[CVE-2023-23936]()
** DESCRIPTION: **Node.js is vulnerable to CRLF injection, caused by a flaw in the fetch API. By sending a specially-crafted HTTP response containing CRLF character sequences, a remote attacker could exploit this vulnerability to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning, session hijacking, HTTP response splitting or HTTP header injection.
CVSS Base score: 6.5
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/247696]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
** CVEID: **[CVE-2023-23919]()
** DESCRIPTION: **Node.js is vulnerable to a denial of service, caused by not clear the OpenSSL error stack after operations. By sending specially-crafted cryptographic operations, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.9
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/247697]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
## Affected Products and Versions
Affected Product(s)| Version(s)
—|—
IBM Planning Analytics| 2.0
## Remediation/Fixes
It is strongly recommended that you apply the most recent security update:
Product(s)| Versions(s)| Remediation/Fix/Instructions
—|—|—
IBM Planning Analytics Workspace| 2.0| [Download IBM Planning Analytics Local v2.0: Planning Analytics Workspace Release 86 from Fix Central]()
This Security Bulletin is applicable to IBM Planning Analytics 2.0 on premise offerings. The vulnerabilities listed above has been addressed on IBM Planning Analytics with Watson and no further action is required.
## Workarounds and Mitigations
None
References
Back to Main
