Imechapishwa: Jan 31, 2025 17:02
Advisory No: TZCERT-SA-25-0055
Source: IBM
Software Affected: htmlunit, ruby, rack
Multiple IBM products are vulnerable to critical vulnerabilities. Exploitation of these vulnerabilities may allow an unauthenticated attacker to execute arbitrary code.
IBM products depending on htmlunit, ruby, and rack are affected by vulnerabilities tracked as CVE-2023-26119, CVE-2022-30123, and CVE-2019-16782 with a CVSS score of 9.8. 9.8 and 9.1 respectively. The plugins are vulnerable due to XSTL code injection flaw, shell escape sequence injection flaw in the Lint and CommonLogger components and using the same session id for querying the backing session storage engine. The vulnerabilities allow attackers to obtain session id information, and use this information to launch further attacks and to execute arbitrary commands on the system.
Successful exploitation of these vulnerabilities may allow the attackers to take control of affected system.
IBM has released security patches for these vulnerabilities. Users and administrators are encouraged to apply necessary updates.
A digest of Tanzania Computer Emergency Response Team coverage of cyber-security news across the globe.
