CVE Published: 05/03/2024 |
CVE Updated: 02/08/2024 |
CVE Year: 2023 Source: ibm |
Vendor: IBM |
Product: Cloud Pak for Automation Status : PUBLISHED
CVE-2023-35899 Description
IBM Cloud Pak for Automation 18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, 22.0.1, and 22.0.2 is potentially vulnerable to CSV Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 259354.
Metrics
CVSS Version: 3.1 |
Base Score: 7 HIGH Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
l➤ Exploitability Metrics: Attack Vector (AV)* LOCAL Attack Complexity (AC)* HIGH Privileges Required (PR)* NONE User Interaction (UI)* REQUIRED Scope (S)* UNCHANGED
l➤ Impact Metrics: Confidentiality Impact (C)* HIGH Integrity Impact (I)* HIGH Availability Impact (A)* HIGH
Weakness Enumeration (CWE)
CWE-ID: CWE-1236 CWE Name: CWE-1236 Improper Neutralization of Formula Elements in a CSV File Source: IBM
Common Attack Pattern Enumeration and Classification (CAPEC)