Security Bulletin: IBM Security QRadar EDR Software has multiple vulnerabilities

Vulnerability Details

CVEID:   CVE-2024-45643
DESCRIPTION:   IBM Security ReaQta uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt sensitive credential information.
CWE:   CWE-327: Use of a Broken or Risky Cryptographic Algorithm
CVSS Source:   IBM X-Force
CVSS Base score:   5.9
CVSS Vector:   (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:   CVE-2024-45638
DESCRIPTION:   IBM Security ReaQta stores user credentials in plain text which can be read by a local privileged user.
CWE:   CWE-256: Plaintext Storage of a Password
CVSS Source:   IBM X-Force
CVSS Base score:   4.1
CVSS Vector:   (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N)

CVEID:   CVE-2024-27306
DESCRIPTION:   aio-libs aiohttp is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
CWE:   CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSS Source:   IBM X-Force
CVSS Base score:   6.1
CVSS Vector:   (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID:   CVE-2024-0690
DESCRIPTION:   An information disclosure flaw was found in ansible-core due to a failure to respect the ANSIBLE_NO_LOG configuration in some scenarios. Information is still included in the output in certain tasks, such as loop items. Depending on the task, this issue may include sensitive information, such as decrypted secret values.
CWE:   CWE-117: Improper Output Neutralization for Logs
CVSS Source:   IBM X-Force
CVSS Base score:   5
CVSS Vector:   (CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N)

CVEID:   CVE-2023-48795
DESCRIPTION:   The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.
CWE:   CWE-354: Improper Validation of Integrity Check Value
CVSS Source:   NVD
CVSS Base score:   5.9
CVSS Vector:   (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N)

CVEID:   CVE-2023-36632
DESCRIPTION:   Python is vulnerable to a denial of service, caused by a RecursionError in email.utils.parseaddr #103800. By sending a specially crafted argument, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CWE:   CWE-674: Uncontrolled Recursion
CVSS Source:   IBM X-Force
CVSS Base score:   5.3
CVSS Vector:   (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:   CVE-2023-32763
DESCRIPTION:   Qt is vulnerable to a denial of service, caused by a QTextLayout buffer overflow. By sending a specially crafted SVG file, a remote attacker could exploit this vulnerability to cause a denial of service.
CWE:   CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CVSS Source:   IBM X-Force
CVSS Base score:   5.3
CVSS Vector:   (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:   CVE-2023-32762
DESCRIPTION:   Qt could allow a remote attacker to bypass security restrictions, caused by incorrectly parsing the strict-transport-security (HSTS) header. By sending a specially crafted request, an attacker could exploit this vulnerability to cause unencrypted connections to be established.
CVSS Source:   IBM X-Force
CVSS Base score:   5.3
CVSS Vector:   (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:   CVE-2023-32573
DESCRIPTION:   In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled.
CWE:   CWE-369: Divide By Zero
CVSS Source:   IBM X-Force
CVSS Base score:   5.3
CVSS Vector:   (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:   CVE-2023-27043
DESCRIPTION:   Python could allow a remote attacker to bypass security restrictions, caused by a parsing flaw in the email.utils.parsaddr() and email.utils.getaddresses() functions. By sending a specially-crafted e-mail addresses with a special character, an attacker could exploit this vulnerability to send messages from e-mail addresses that would otherwise be rejected.
CWE:   CWE-20: Improper Input Validation
CVSS Source:   IBM X-Force
CVSS Base score:   5.3
CVSS Vector:   (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:   CVE-2023-7104
DESCRIPTION:   SQLite SQLite3 is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the sessionReadRecord function in ext/session/sqlite3session.c. By sending a specially crafted request, a remote authenticated attacker could overflow a buffer and execute arbitrary code on the system.
CWE:   CWE-122: Heap-based Buffer Overflow
CVSS Source:   IBM X-Force
CVSS Base score:   5.5
CVSS Vector:   (CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)

CVEID:   CVE-2023-2976
DESCRIPTION:   Use of Java's default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class. Even though the security vulnerability is fixed in version 32.0.0, we recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.
CWE:   CWE-552: Files or Directories Accessible to External Parties
CVSS Source:   IBM X-Force
CVSS Base score:   5.5
CVSS Vector:   (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

CVEID:   CVE-2022-48566
DESCRIPTION:   Python could allow a local authenticated attacker to obtain sensitive information, caused by a constant-time-defeating optimisations issue in the compare_digest function in Lib/hmac.py. By sending a specially crafted request using the accumulator variable in hmac.compare_digest, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CWE:   CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSS Source:   IBM X-Force
CVSS Base score:   6.1
CVSS Vector:   (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N)

CVEID:   CVE-2022-48565
DESCRIPTION:   Python could allow a local authenticated attacker to obtain sensitive information, caused by improper handling of XML external entity (XXE) declarations by the plistlib module. By using a specially crafted XML content, a remote attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CWE:   CWE-611: Improper Restriction of XML External Entity Reference
CVSS Source:   IBM X-Force
CVSS Base score:   5.5
CVSS Vector:   (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

CVEID:   CVE-2022-48564
DESCRIPTION:   Python is vulnerable to a denial of service, caused by a flaw in the read_ints function in plistlib.py. By persuading a victim to open a specially crafted Apple Property List file file, a remote attacker could exploit this vulnerability to cause CPU and RAM exhaustion, and results in a denial of service condition.
CWE:   CWE-400: Uncontrolled Resource Consumption
CVSS Source:   IBM X-Force
CVSS Base score:   5.5
CVSS Vector:   (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

CVEID:   CVE-2022-48560
DESCRIPTION:   Python is vulnerable to a denial of service, caused by a use-after-free flaw in the heappushpop() function in the heapq module. By sending a specially crafted request, a local attacker could exploit this vulnerability to cause a denial of service condition.
CWE:   CWE-416: Use After Free
CVSS Source:   IBM X-Force
CVSS Base score:   6.2
CVSS Vector:   (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:   CVE-2022-41854
DESCRIPTION:   snakeYAML is vulnerable to a denial of service, caused by improper input validation. By persuading a victim to open a specially-crafted YAML content, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CWE:   CWE-121: Stack-based Buffer Overflow
CVSS Source:   CVE.org
CVSS Base score:   5.8
CVSS Vector:   (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:N/A:H)

CVEID:   CVE-2023-46234
DESCRIPTION:   browserify-sign is a package to duplicate the functionality of node's crypto public key functions, much of this is based on Fedor Indutny's work on indutny/tls.js. An upper bound check issue in `dsaVerify` function allows an attacker to construct signatures that can be successfully verified by any public key, thus leading to a signature forgery attack. All places in this project that involve DSA verification of user-input signatures will be affected by this vulnerability. This issue has been patched in version 4.2.2.
CWE:   CWE-347: Improper Verification of Cryptographic Signature
CVSS Source:   IBM X-Force
CVSS Base score:   7.5
CVSS Vector:   (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

CVEID:   CVE-2023-40217
DESCRIPTION:   Python could allow a remote attacker to bypass security restrictions, caused by a race condition in the SSLSocket module. When the socket is closed before the TLS handshake is complete, the data is treated as if it had been encrypted by TLS. An attacker could exploit this vulnerability to bypass the TLS handshake and inject a malicious client certificate into the connection and gain access to the server’s resources without being authenticated.
CVSS Source:   IBM X-Force
CVSS Base score:   7.4
CVSS Vector:   (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)

CVEID:   CVE-2023-24329
DESCRIPTION:   Python could allow a remote attacker to bypass security restrictions, caused by a flaw in the urllib.parse component. By sending a specially-crafted request using URL starts with blank characters, an attacker could exploit this vulnerability to bypass blocklisting methods.
CWE:   CWE-20: Improper Input Validation
CVSS Source:   IBM X-Force
CVSS Base score:   7.5
CVSS Vector:   (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

CVEID:   CVE-2023-4807
DESCRIPTION:   OpenSSL is vulnerable to a denial of service, caused by a state corruption flaw in the POLY1305 MAC (message authentication code) implementation, when running on newer X86_64 processors supporting the AVX512-IFMA instructions. A local authenticated attacker could exploit this vulnerability to cause an incorrect result of some application dependent calculations or a crash or in some cases gain complete control of the application process.
CWE:   CWE-440: Expected Behavior Violation
CVSS Source:   IBM X-Force
CVSS Base score:   7.8
CVSS Vector:   (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

CVEID:   CVE-2022-46175
DESCRIPTION:   JSON5 could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a prototype pollution flaw in the parse method. By adding or modifying properties of Object.prototype using a __proto__ or constructor payload, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system.
CWE:   CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVSS Source:   IBM X-Force
CVSS Base score:   7.1
CVSS Vector:   (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H)

CVEID:   CVE-2022-45061
DESCRIPTION:   Python is vulnerable to a denial of service, caused by an unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder. By sending a specially-crafted input, a remote attacker could exploit this vulnerability to cause a CPU denial of service condition.
CWE:   CWE-407: Inefficient Algorithmic Complexity
CVSS Source:   IBM X-Force
CVSS Base score:   7.5
CVSS Vector:   (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:   CVE-2022-38900
DESCRIPTION:   decode-uri-component is vulnerable to a denial of service, caused by improper input validation by the decodeComponents function. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause the application to crash.
CWE:   CWE-20: Improper Input Validation
CVSS Source:   IBM X-Force
CVSS Base score:   7.5
CVSS Vector:   (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:   CVE-2022-35737
DESCRIPTION:   SQLite is vulnerable to a denial of service, caused by an array-bounds overflow. By sending C API with specially-crafted string argument, a remote attacker could exploit this vulnerability to cause a denial of service.
CWE:   CWE-129: Improper Validation of Array Index
CVSS Source:   IBM X-Force
CVSS Base score:   7.5
CVSS Vector:   (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:   CVE-2022-25857
DESCRIPTION:   Java package org.yaml:snakeyam is vulnerable to a denial of service, caused by missing to nested depth limitation for collections. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service.
CWE:   CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
CVSS Source:   IBM X-Force
CVSS Base score:   7.5
CVSS Vector:   (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:   CVE-2022-24302
DESCRIPTION:   Paramiko could allow a remote attacker to obtain sensitive information, caused by a race condition in the write_private_key_file function. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CWE:   CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSS Source:   IBM X-Force
CVSS Base score:   7.5
CVSS Vector:   (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:   CVE-2022-4742
DESCRIPTION:   json-pointer could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution flaw in the index.js script. By adding or modifying properties of Object.prototype using a __proto__ or constructor payload, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system.
CWE:   CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVSS Source:   IBM X-Force
CVSS Base score:   7.3
CVSS Vector:   (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID:   CVE-2022-1471
DESCRIPTION:   SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.
CWE:   CWE-20: Improper Input Validation
CVSS Source:   CVE.org
CVSS Base score:   8.3
CVSS Vector:   (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L)

CVEID:   CVE-2022-1365
DESCRIPTION:   cross-fetch could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw in the Cookie header. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to obtain sensitive information.
CWE:   CWE-359: Exposure of Private Personal Information to an Unauthorized Actor
CVSS Source:   IBM X-Force
CVSS Base score:   8.8
CVSS Vector:   (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

CVEID:   CVE-2021-32804
DESCRIPTION:   Node.js tar module could allow a local attacker to traverse directories on the system, caused by insufficient absolute path sanitization. An attacker could use a specially-crafted tar file containing "dot dot" sequences (/../) to create or overwrite arbitrary files on the system.
CWE:   CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSS Source:   IBM X-Force
CVSS Base score:   8.2
CVSS Vector:   (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N)

CVEID:   CVE-2021-32803
DESCRIPTION:   Node.js tar module could allow a local attacker to traverse directories on the system, caused by insufficient symlink protection. An attacker could use a specially-crafted tar file containing "dot dot" sequences (/../) to create or overwrite arbitrary files on the system.
CWE:   CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSS Source:   IBM X-Force
CVSS Base score:   8.2
CVSS Vector:   (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N)