Direct links to fixes
APAR status
Closed as program error.
Error description
CVEID: CVE-2018-25031 DESCRIPTION: swagger-ui could allow a remote attacker to conduct spoofing attacks. By persuading a victim to open a specially-crafted URL, an attacker could exploit this vulnerability to display remote OpenAPI definitions. CVSS Base score: 5.4 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/217346 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N) CVEID: CVE-2021-23369 DESCRIPTION: Node.js handlebars module could allow a remote attacker to execute arbitrary code on the system, caused by a flaw when selecting certain compiling options to compile templates coming from an untrusted source.. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 4.8 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/199768 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N) CVEID: CVE-2021-23383 DESCRIPTION: handlebars could allow a remote attacker to execute arbitrary code on the system, caused by prototype pollution when selecting certain compiling options to compile templates coming from an untrusted source. By sending a a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 8.1 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/201205 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
Local fix
Problem summary
No additional information is available. PRODUCT AFFECTED IBM Cloud Pak for Business Automation IBM Business Automation Workflow
Problem conclusion
A fix is available or will be avilable that updates the version of Swagger UI.
Temporary fix
Comments
APAR Information
APAR number
JR65073
Reported component name
CLOUD PAK FOR A
Reported component ID
5737I2300
Reported release
L00
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2022-07-26
Closed date
2022-09-30
Last modified date
2022-09-30
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
CLOUD PAK FOR A
Fixed component ID
5737I2300
Applicable component levels
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBYVB","label":"IBM Cloud Pak for Business Automation"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"L00","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
11 December 2022