Summary Multiple vulnerabilities were addressed in IBM Cloud Pak for AIOps version 4.4.1 Vulnerability Details ** CVEID: CVE-2023-50447 DESCRIPTION: **Pillow could allow a remote attacker to execute arbitrary code on the system, caused by improper neutralization of user supplied-input by the PIL.ImageMath.eval function. By sending a specially crafted request using keys that leverage the environment parameter, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/280022 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H) ** CVEID: CVE-2023-49569 DESCRIPTION: **go-git could allow a remote attacker to traverse directories on the system. By sending a specially crafted request using the ChrootOS https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#ChrootOS, an attacker could exploit this vulnerability to create and amend files across the filesystem and possibly execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/279932 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: CVE-2024-23652 DESCRIPTION: **Moby BuildKit could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted request to remove arbitrary files on the system. CVSS Base…Read More
Security Bulletin: Multiple Vulnerabilities in CloudPak for AIOps
