## Summary
IBM Spectrum Symphony with Node.js various security issues
## Vulnerability Details
** CVEID: **[CVE-2023-23920]()
** DESCRIPTION: **Node.js could allow a remote authenticated attacker to bypass security restrictions, caused by improper access control. By sending a specially-crafted request using ICU_DATA environment variable, an attacker could exploit this vulnerability to search and potentially load ICU data.
CVSS Base score: 2.7
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/247694]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N)
** CVEID: **[CVE-2023-30581]()
** DESCRIPTION: **Node.js could allow a remote attacker to bypass security restrictions, caused by the use of proto in process.mainModule.proto.require(). By sending a specially crafted request, an attacker could exploit this vulnerability to bypass experimental policy mechanism.
CVSS Base score: 7.5
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/258615]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
** CVEID: **[CVE-2023-30587]()
** DESCRIPTION: **Node.js could allow a remote attacker to bypass security restrictions. By exploiting the Worker class’s ability to create an “internal worker” with the kIsInternal Symbol, an attacker could exploit this vulnerability to modify the isInternal value when an inspector is attached within the Worker constructor before initializing a new WorkerImpl.
CVSS Base score: 7.5
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/258618]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
** CVEID: **[CVE-2023-23919]()
** DESCRIPTION: **Node.js is vulnerable to a denial of service, caused by not clear the OpenSSL error stack after operations. By sending specially-crafted cryptographic operations, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.9
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/247697]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
** CVEID: **[CVE-2023-30588]()
** DESCRIPTION: **Node.js is vulnerable to a denial of service, caused by invalid public key information in x509 certificates. By accessing public key info of provided certificates from user code, an attacker could exploit this vulnerability to force interruptions of application processing and cause a denial of service.
CVSS Base score: 5.3
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/258623]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
** CVEID: **[CVE-2023-30584]()
** DESCRIPTION: **Node.js could allow a remote attacker to bypass security restrictions, caused by a path traversal bypass when verifying file permissions. By sending a specially crafted request, an attacker could exploit this vulnerability to bypass the experimental permission model.
CVSS Base score: 7.5
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/258617]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
** IBM X-Force ID: **259772
** DESCRIPTION: **Node.js could allow a remote attacker to bypass security restrictions, caused by the failure to respect whether the relevant directories use case-insensitive path processing by process.permission.deny(). By using case-insensitive paths and changing capitalization, an attacker could exploit this vulnerability to bypass permission model restrictions.
CVSS Base score: 6.5
CVSS Temporal Score: See: [https://exchange.xforce.ibmcloud.com/vulnerabilities/259772 ]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
** IBM X-Force ID: **256137
** DESCRIPTION: **FasterXML Jackson Core is vulnerable to a denial of service, caused by improper input validation by the StreamReadConstraints value field. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 5.3
CVSS Temporal Score: See: [https://exchange.xforce.ibmcloud.com/vulnerabilities/256137 ]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
** IBM X-Force ID: **259087
** DESCRIPTION: **Node.js @strapi/plugin-users-permissions module could allow a remote attacker to bypass security restrictions, caused by using the AWS Cognito login provider’s None signing algorithm during the OAuth flow. An attacker could exploit this vulnerability to bypass authentication.
CVSS Base score: 8.2
CVSS Temporal Score: See: [https://exchange.xforce.ibmcloud.com/vulnerabilities/259087 ]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N)
## Affected Products and Versions
Affected Product(s)| Version(s)
—|—
IBM Spectrum Symphony| IBM Spectrum Symphony 7.3.2
## Remediation/Fixes
IBM strongly suggests the following remediation or fix:
Upgrade to the latest versions of IBM Spectrum Symphony FP2 (**IBM Spectrum Symphony 7.3.2 with Fix 601711)**.
## Workarounds and Mitigations
None