Imechapishwa: Aug 16, 2024 18:36
Advisory No: TZCERT-SA-24-0009
Source: Apache Velocity, protobuf.js, Containerd
Software Affected: Apache Velocity, protobuf.js, Containerd
Multiple IBM products depending on Apache Velocity, protobuf.js, Containerd are vulnerable to critical vulnerabilities. Attackers can exploit the vulnerabilities to execute arbitrary code on the affected system.
Multiple IBM products depending on Apache Velocity, protobuf.js, and Containerd and are affected by critical vulnerabilities with CVSS base scores of 9.8 and tracked as CVE-2020-13936, CVE-2023-36665, and CVE-2020-15257 respectively. The vulnerabilities exist due to a sandbox bypass flaw in Apache Velocity, prototype pollution in protobufjs, and improper access control in containerd-shim API in containerd. The attackers can send specially-crafted requests to execute arbitrary code on the vulnerable system.
Successful exploitation of these vulnerabilities may allow the attacker to take control of the affected system.
IBM has released security patches for these vulnerabilities. Users and administrators are encouraged to apply necessary updates.
A digest of Tanzania Computer Emergency Response Team coverage of cyber-security news across the globe.
