Summary A vulnerability in Microsoft.BotBuilder affects IBM Robotic Process Automation which may result in elevated privileges. Microsoft.BotBuilder is used to enable communication between Azure Bot Services and the ChatBot API. This bulletin identifies the security fixes to apply to address the vulnerabilities. Vulnerability Details CVEID:CVE-2024-35255 DESCRIPTION: Microsoft Azure Identity Libraries and Microsoft Authentication Library could allow a local authenticated attacker to gain elevated privileges on the system. By sending a specially crafted request, an attacker could exploit this vulnerability to elevate privileges and read any file on the file system with SYSTEM access permissions. CWE:CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') CVSS Source: IBM X-Force CVSS Base score: 5.5 CVSS Vector:(CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) Affected Products and Versions Affected Product(s)| Version(s) —|— IBM Robotic Process Automation for Cloud Pak| 23.0.0 – 23.0.17 IBM Robotic Process Automation| 23.0.0 – 23.0.17 Remediation/Fixes IBM strongly recommends addressing the vulnerability now. Product(s)| Version(s) number and/or range | Remediation/Fix/Instructions —|—|— IBM Robotic Process Automation| 23.0.0 – 23.0.17| Download 23.0.18 or higher and follow these instructions. IBM Robotic Process Automation for Cloud Pak | 23.0.0 – 23.0.17| Update to 23.0.18 or higher using the following instructions. …Read More