CVE-2023-35899 (GCVE-0-2023-35899)
Vulnerability from cvelistv5 – Published: 2024-03-05 18:55 – Updated: 2024-08-02 18:59
VLAI?
Title
IBM Cloud Pak for Automation CSV injection
Summary
IBM Cloud Pak for Automation 18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, 22.0.1, and 22.0.2 is potentially vulnerable to CSV Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 259354.
Severity ?
CWE
- CWE-1236 - Improper Neutralization of Formula Elements in a CSV File
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IBM | Cloud Pak for Automation |
Affected:
18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, 22.0.1, 22.0.2
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:37:40.037Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.ibm.com/support/pages/node/7030357"
},
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/259354"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:cloud_pak_for_business_automation:18.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:cloud_pak_for_business_automation:19.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:cloud_pak_for_business_automation:20.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:cloud_pak_for_business_automation:21.0.1:-:*:*:*:*:*:*",
"cpe:2.3:a:ibm:cloud_pak_for_business_automation:22.0.2:-:*:*:*:*:*:*",
"cpe:2.3:a:ibm:cloud_pak_for_business_automation:23.0.1:-:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "cloud_pak_for_business_automation",
"vendor": "ibm",
"versions": [
{
"lessThanOrEqual": "18.0.2",
"status": "affected",
"version": "18.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "19.0.3",
"status": "affected",
"version": "19.0.1",
"versionType": "custom"
},
{
"lessThanOrEqual": "20.0.3",
"status": "affected",
"version": "20.0.1",
"versionType": "custom"
},
{
"lessThanOrEqual": "21.0.1_if008",
"status": "affected",
"version": "21.0.1",
"versionType": "custom"
},
{
"lessThanOrEqual": "22.0.2_if005",
"status": "affected",
"version": "22.0.2",
"versionType": "custom"
},
{
"lessThanOrEqual": "23.0.1_if001",
"status": "affected",
"version": "23.0.1",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:ibm:cloud_pak_for_business_automation:21.0.3:-:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "cloud_pak_for_business_automation",
"vendor": "ibm",
"versions": [
{
"lessThanOrEqual": "21.0.3_if023",
"status": "affected",
"version": "21.0.3",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-35899",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-02T18:35:54.058746Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-02T18:59:01.678Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Cloud Pak for Automation",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, 22.0.1, 22.0.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM Cloud Pak for Automation 18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, 22.0.1, and 22.0.2 is potentially vulnerable to CSV Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 259354."
}
],
"value": "IBM Cloud Pak for Automation 18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, 22.0.1, and 22.0.2 is potentially vulnerable to CSV Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 259354."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1236",
"description": "CWE-1236 Improper Neutralization of Formula Elements in a CSV File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-05T18:55:44.903Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.ibm.com/support/pages/node/7030357"
},
{
"tags": [
"vdb-entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/259354"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM Cloud Pak for Automation CSV injection",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2023-35899",
"datePublished": "2024-03-05T18:55:44.903Z",
"dateReserved": "2023-06-20T02:24:31.593Z",
"dateUpdated": "2024-08-02T18:59:01.678Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"descriptions": "[{\"lang\": \"en\", \"value\": \"IBM Cloud Pak for Automation 18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, 22.0.1, and 22.0.2 is potentially vulnerable to CSV Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 259354.\"}, {\"lang\": \"es\", \"value\": \"IBM Cloud Pak para automatizaci\\u00f3n 18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0 .3, 22.0.1 y 22.0.2 son potencialmente vulnerables a la inyecci\\u00f3n CSV. Un atacante remoto podr\\u00eda ejecutar comandos arbitrarios en el sistema, causados por una validaci\\u00f3n inadecuada del contenido del archivo csv. ID de IBM X-Force: 259354.\"}]",
"id": "CVE-2023-35899",
"lastModified": "2024-11-21T08:08:57.040",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"psirt@us.ibm.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H\", \"baseScore\": 7.0, \"baseSeverity\": \"HIGH\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.0, \"impactScore\": 5.9}]}",
"published": "2024-03-21T02:47:58.550",
"references": "[{\"url\": \"https://exchange.xforce.ibmcloud.com/vulnerabilities/259354\", \"source\": \"psirt@us.ibm.com\"}, {\"url\": \"https://www.ibm.com/support/pages/node/7030357\", \"source\": \"psirt@us.ibm.com\"}, {\"url\": \"https://exchange.xforce.ibmcloud.com/vulnerabilities/259354\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://www.ibm.com/support/pages/node/7030357\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
"sourceIdentifier": "psirt@us.ibm.com",
"vulnStatus": "Awaiting Analysis",
"weaknesses": "[{\"source\": \"psirt@us.ibm.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-1236\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2023-35899\",\"sourceIdentifier\":\"psirt@us.ibm.com\",\"published\":\"2024-03-21T02:47:58.550\",\"lastModified\":\"2025-03-05T19:43:26.133\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"IBM Cloud Pak for Automation 18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, 22.0.1, and 22.0.2 is potentially vulnerable to CSV Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 259354.\"},{\"lang\":\"es\",\"value\":\"IBM Cloud Pak para automatizaci\u00f3n 18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0 .3, 22.0.1 y 22.0.2 son potencialmente vulnerables a la inyecci\u00f3n CSV. Un atacante remoto podr\u00eda ejecutar comandos arbitrarios en el sistema, causados por una validaci\u00f3n inadecuada del contenido del archivo csv. ID de IBM X-Force: 259354.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"psirt@us.ibm.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":7.0,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.0,\"impactScore\":5.9},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"psirt@us.ibm.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-1236\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:cloud_pak_for_business_automation:18.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5D419EF8-4D41-4FBE-A41B-9F9EAF7F72EE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:cloud_pak_for_business_automation:18.0.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C27956AA-CCEE-4073-A8D7-D1B9575EE25C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:cloud_pak_for_business_automation:18.0.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"12A70646-ADD3-4CF7-A591-8BE96FBEF5A9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:cloud_pak_for_business_automation:19.0.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DF6CB2C4-800F-487A-B0E5-8A0A9718549D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:cloud_pak_for_business_automation:19.0.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D52711AA-0F11-47E7-8EE8-6B8D65403F8A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:cloud_pak_for_business_automation:19.0.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"CE2C6F84-C83F-4AE1-B0A7-740568F52C04\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:cloud_pak_for_business_automation:20.0.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"CC8A641D-B7AB-41FA-AFDB-2C8EBDA6A1A7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:cloud_pak_for_business_automation:20.0.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"250AC4D5-1D25-4EEE-B1CA-AA8E104BBF7B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:cloud_pak_for_business_automation:20.0.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6C5B7FA4-A27C-40CA-AA53-183909D18C13\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:cloud_pak_for_business_automation:21.0.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0413501D-975D-469E-A854-61E12039A8D4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:cloud_pak_for_business_automation:21.0.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"06B0B413-0396-4213-9719-C22AEFC7B3E7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:cloud_pak_for_business_automation:21.0.3:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"A8D6EB68-3804-494D-B12A-2E96E31D1B1A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:cloud_pak_for_business_automation:21.0.3:interim_fix_001:*:*:*:*:*:*\",\"matchCriteriaId\":\"21D8DE68-5651-4068-B978-79B28F2DC5D6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:cloud_pak_for_business_automation:21.0.3:interim_fix_002:*:*:*:*:*:*\",\"matchCriteriaId\":\"BBEA972A-A41E-44C9-8D35-1A991D3384B7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:cloud_pak_for_business_automation:21.0.3:interim_fix_003:*:*:*:*:*:*\",\"matchCriteriaId\":\"D3009F4E-7157-43D3-B6A0-2531CDE619BE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:cloud_pak_for_business_automation:21.0.3:interim_fix_004:*:*:*:*:*:*\",\"matchCriteriaId\":\"1DA97C23-9B80-4956-9873-317902A0D804\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:cloud_pak_for_business_automation:21.0.3:interim_fix_005:*:*:*:*:*:*\",\"matchCriteriaId\":\"1D0B6203-C775-4C5E-BAE9-C956E718F261\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:cloud_pak_for_business_automation:21.0.3:interim_fix_006:*:*:*:*:*:*\",\"matchCriteriaId\":\"257A7A17-7EDF-4E23-88A6-216BC29EC467\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:cloud_pak_for_business_automation:21.0.3:interim_fix_007:*:*:*:*:*:*\",\"matchCriteriaId\":\"26FF217B-1BD4-46E5-8023-2B2989FF7868\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:cloud_pak_for_business_automation:21.0.3:interim_fix_008:*:*:*:*:*:*\",\"matchCriteriaId\":\"C60E58EA-C4D5-4D4D-8C9B-3EC33A7027E4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:cloud_pak_for_business_automation:21.0.3:interim_fix_009:*:*:*:*:*:*\",\"matchCriteriaId\":\"7817670E-5649-42A9-B5F9-7586D7AEB4CA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:cloud_pak_for_business_automation:21.0.3:interim_fix_010:*:*:*:*:*:*\",\"matchCriteriaId\":\"FC7F85E8-8185-418A-B25F-8E64A58177DD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:cloud_pak_for_business_automation:21.0.3:interim_fix_011:*:*:*:*:*:*\",\"matchCriteriaId\":\"37616DCD-C26C-44EA-AA7F-732DC128FFE3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:cloud_pak_for_business_automation:21.0.3:interim_fix_012:*:*:*:*:*:*\",\"matchCriteriaId\":\"26CAC076-6FED-49E2-BF33-230F1D1195F8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:cloud_pak_for_business_automation:21.0.3:interim_fix_013:*:*:*:*:*:*\",\"matchCriteriaId\":\"5A88C56C-22CC-4791-BB33-C1494E7F41EB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:cloud_pak_for_business_automation:21.0.3:interim_fix_014:*:*:*:*:*:*\",\"matchCriteriaId\":\"12652B2E-307E-4568-920B-A869914ED650\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:cloud_pak_for_business_automation:21.0.3:interim_fix_015:*:*:*:*:*:*\",\"matchCriteriaId\":\"8F4E242F-BDF4-4CFE-B808-4A4B7A6FAD0D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:cloud_pak_for_business_automation:21.0.3:interim_fix_016:*:*:*:*:*:*\",\"matchCriteriaId\":\"88E736CF-CA6E-400B-9AE3-2C58D2265752\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:cloud_pak_for_business_automation:21.0.3:interim_fix_017:*:*:*:*:*:*\",\"matchCriteriaId\":\"02488B2F-8D6E-4BDC-8DA9-45F5EBC42049\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:cloud_pak_for_business_automation:21.0.3:interim_fix_018:*:*:*:*:*:*\",\"matchCriteriaId\":\"854F4AF8-B712-446E-9DE1-A2496D5E9C1F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:cloud_pak_for_business_automation:21.0.3:interim_fix_019:*:*:*:*:*:*\",\"matchCriteriaId\":\"CF3F1B62-089B-41ED-AD3E-F31F8E967F18\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:cloud_pak_for_business_automation:21.0.3:interim_fix_020:*:*:*:*:*:*\",\"matchCriteriaId\":\"ABB843C3-F26D-43A5-AD3E-9D30D00339D2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:cloud_pak_for_business_automation:21.0.3:interim_fix_021:*:*:*:*:*:*\",\"matchCriteriaId\":\"42A67A28-CBF1-4C37-A217-F4789ED1850E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:cloud_pak_for_business_automation:21.0.3:interim_fix_022:*:*:*:*:*:*\",\"matchCriteriaId\":\"BFEF1033-B100-400A-9B2B-94AEE3A7B94A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:cloud_pak_for_business_automation:21.0.3:interim_fix_023:*:*:*:*:*:*\",\"matchCriteriaId\":\"5F109F93-1CE8-4F86-9070-73012ED0FE79\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:cloud_pak_for_business_automation:22.0.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C35A26E3-D2F7-466C-9010-06AA76568A1A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:cloud_pak_for_business_automation:22.0.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"59BF1F79-6E1E-49EE-8D8E-B524F040AA29\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:cloud_pak_for_business_automation:23.0.1:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"01632D44-1A4A-4C1A-A19D-8E815617B905\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:cloud_pak_for_business_automation:23.0.1:interim_fix_001:*:*:*:*:*:*\",\"matchCriteriaId\":\"12CE606B-49F1-425F-A00B-23E3C91CCB0B\"}]}]}],\"references\":[{\"url\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/259354\",\"source\":\"psirt@us.ibm.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.ibm.com/support/pages/node/7030357\",\"source\":\"psirt@us.ibm.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/259354\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.ibm.com/support/pages/node/7030357\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://www.ibm.com/support/pages/node/7030357\", \"tags\": [\"vendor-advisory\", \"x_transferred\"]}, {\"url\": \"https://exchange.xforce.ibmcloud.com/vulnerabilities/259354\", \"tags\": [\"vdb-entry\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T16:37:40.037Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-35899\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-08-02T18:35:54.058746Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:ibm:cloud_pak_for_business_automation:18.0.0:*:*:*:*:*:*:*\", \"cpe:2.3:a:ibm:cloud_pak_for_business_automation:19.0.1:*:*:*:*:*:*:*\", \"cpe:2.3:a:ibm:cloud_pak_for_business_automation:20.0.1:*:*:*:*:*:*:*\", \"cpe:2.3:a:ibm:cloud_pak_for_business_automation:21.0.1:-:*:*:*:*:*:*\", \"cpe:2.3:a:ibm:cloud_pak_for_business_automation:22.0.2:-:*:*:*:*:*:*\", \"cpe:2.3:a:ibm:cloud_pak_for_business_automation:23.0.1:-:*:*:*:*:*:*\"], \"vendor\": \"ibm\", \"product\": \"cloud_pak_for_business_automation\", \"versions\": [{\"status\": \"affected\", \"version\": \"18.0.0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"18.0.2\"}, {\"status\": \"affected\", \"version\": \"19.0.1\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"19.0.3\"}, {\"status\": \"affected\", \"version\": \"20.0.1\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"20.0.3\"}, {\"status\": \"affected\", \"version\": \"21.0.1\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"21.0.1_if008\"}, {\"status\": \"affected\", \"version\": \"22.0.2\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"22.0.2_if005\"}, {\"status\": \"affected\", \"version\": \"23.0.1\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"23.0.1_if001\"}], \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:2.3:a:ibm:cloud_pak_for_business_automation:21.0.3:-:*:*:*:*:*:*\"], \"vendor\": \"ibm\", \"product\": \"cloud_pak_for_business_automation\", \"versions\": [{\"status\": \"affected\", \"version\": \"21.0.3\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"21.0.3_if023\"}], \"defaultStatus\": \"unaffected\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-08-02T18:52:39.431Z\"}}], \"cna\": {\"title\": \"IBM Cloud Pak for Automation CSV injection\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"IBM\", \"product\": \"Cloud Pak for Automation\", \"versions\": [{\"status\": \"affected\", \"version\": \"18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, 22.0.1, 22.0.2\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://www.ibm.com/support/pages/node/7030357\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"https://exchange.xforce.ibmcloud.com/vulnerabilities/259354\", \"tags\": [\"vdb-entry\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"IBM Cloud Pak for Automation 18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, 22.0.1, and 22.0.2 is potentially vulnerable to CSV Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 259354.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"IBM Cloud Pak for Automation 18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, 22.0.1, and 22.0.2 is potentially vulnerable to CSV Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 259354.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-1236\", \"description\": \"CWE-1236 Improper Neutralization of Formula Elements in a CSV File\"}]}], \"providerMetadata\": {\"orgId\": \"9a959283-ebb5-44b6-b705-dcc2bbced522\", \"shortName\": \"ibm\", \"dateUpdated\": \"2024-03-05T18:55:44.903Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2023-35899\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-02T18:59:01.678Z\", \"dateReserved\": \"2023-06-20T02:24:31.593Z\", \"assignerOrgId\": \"9a959283-ebb5-44b6-b705-dcc2bbced522\", \"datePublished\": \"2024-03-05T18:55:44.903Z\", \"assignerShortName\": \"ibm\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…