Vulnerability Name: | CVE-2022-32215 (CCN-230659) |
Assigned: | 2022-07-07 |
Published: | 2022-07-07 |
Updated: | 2023-07-19 |
Summary: | |
CVSS v3 Severity: | 6.5 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) 5.7 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C)Exploitability Metrics: | Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None | Scope: | Scope (S): Unchanged
| Impact Metrics: | Confidentiality (C): Low Integrity (I): Low Availibility (A): None | 6.5 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) 5.7 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C)Exploitability Metrics: | Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None | Scope: | Scope (S): Unchanged
| Impact Metrics: | Confidentiality (C): Low Integrity (I): Low Availibility (A): None | 6.5 Medium (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) 5.7 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C)Exploitability Metrics: | Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None | Scope: | Scope (S): Unchanged
| Impact Metrics: | Confidentiality (C): Low Integrity (I): Low Availibility (A): None |
|
CVSS v2 Severity: | 6.4 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N)Exploitability Metrics: | Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
| Impact Metrics: | Confidentiality (C): Partial Integrity (I): Partial Availibility (A): None |
|
Vulnerability Consequences: | Gain Access |
References: | Source: MITRE Type: CNA CVE-2022-32215
Source: support@hackerone.com Type: Patch, Third Party Advisory support@hackerone.com
Source: XF Type: UNKNOWN nodejs-cve202232215-request-smuggling(230659)
Source: support@hackerone.com Type: Exploit, Issue Tracking, Third Party Advisory support@hackerone.com
Source: support@hackerone.com Type: Mailing List, Third Party Advisory support@hackerone.com
Source: support@hackerone.com Type: Mailing List, Third Party Advisory support@hackerone.com
Source: support@hackerone.com Type: Mailing List, Third Party Advisory support@hackerone.com
Source: CCN Type: Node.js Blog, 2022-07-07 July 7th 2022 Security Releases
Source: support@hackerone.com Type: Patch, Vendor Advisory support@hackerone.com
Source: CCN Type: Node.js Blog, 2022-09-23 September 22nd 2022 Security Releases
Source: CCN Type: SNYK-JS-LLHTTP-2946720 HTTP Request Smuggling
Source: support@hackerone.com Type: Third Party Advisory support@hackerone.com
Source: CCN Type: IBM Security Bulletin 6603049 (Answer Retrieval for Watson Discovery) IBM Answer Retrieval for Watson Discovery is vulnerable to HTTP request smuggling due to NodeJS
Source: CCN Type: IBM Security Bulletin 6610929 (Voice Gateway) Multiple Vulnerabilities in node.js
Source: CCN Type: IBM Security Bulletin 6611585 (Cloud Pak for Integration) Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to multiple vulnerabilities
Source: CCN Type: IBM Security Bulletin 6613025 (App Connect Enterprise) Multiple vulnerabilities due to OpenSSL and Node js which affect IBM App Connect Enterprise and IBM Integration Bus
Source: CCN Type: IBM Security Bulletin 6616293 (Cloud Transformation Advisor) IBM Cloud Transformation Advisor is vulnerable to multiple vulnerabilities
Source: CCN Type: IBM Security Bulletin 6619919 (Spectrum Protect Plus) Multiple vulnerabilities in Node.js may affect IBM Spectrum Protect Plus (CVE-2022-32223, CVE-2022-32215, CVE-2022-33987, CVE-2022-32213, CVE-2022-32212, CVE-2022-32222, CVE-2022-32214)
Source: CCN Type: IBM Security Bulletin 6659671 (Spectrum Control) IBM Spectrum Control is vulnerable to multiple weaknesses related Java SE and Node
Source: CCN Type: IBM Security Bulletin 6825155 (Watson Assistant for Cloud Pak for data) Multiple Vulnerabilities in node.js
Source: CCN Type: IBM Security Bulletin 6825561 (Event Streams) Multiple vulnerabilities in Node.js affect IBM Event Streams
Source: CCN Type: IBM Security Bulletin 6831297 (Cloud Pak for Watson AIOps) A security vulnerability in Node.js affects IBM Cloud Pak for Watson AIOps Infrastructure Automation
Source: CCN Type: IBM Security Bulletin 6831849 (Cloud Pak for Watson AIOps) Multiple Vulnerabilities in CloudPak for Watson AIOPs
Source: CCN Type: IBM Security Bulletin 6832732 (Cloud Pak for Automation) Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for October 2022
Source: CCN Type: IBM Security Bulletin 6833888 (Business Automation Workflow traditional) Security vulnerabilities in IBM SDK for Node.js might affect the configuration editor used by IBM Business Automation Workflow
Source: CCN Type: IBM Security Bulletin 6837325 (App Connect Enterprise Certified Container) IBM App Connect Enterprise Certified Container may be vulnerable to HTTP request smuggling due to CVE-2022-32215
Source: CCN Type: IBM Security Bulletin 6840765 (DataPower Gateway) IBM DataPower Gateway potentially vulnerable to HTTP request smuggling
Source: CCN Type: IBM Security Bulletin 6840919 (Watson Discovery) IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Node.js
Source: CCN Type: IBM Security Bulletin 6841799 (Planning Analytics Workspace) IBM Planning Analytics Workspace is affected by vulnerabilities in Node.js and Spring Data MongoDB
Source: CCN Type: IBM Security Bulletin 6986505 (Cognos Analytics) IBM Cognos Analytics has addressed multiple vulnerabilities
|
Vulnerable Configuration: | Configuration RedHat 1: cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*Configuration RedHat 2: cpe:/a:redhat:enterprise_linux:8::appstream:*:*:*:*:*Configuration RedHat 3: cpe:/a:redhat:enterprise_linux:9:*:*:*:*:*:*:*Configuration RedHat 4: cpe:/a:redhat:enterprise_linux:9::appstream:*:*:*:*:* Configuration CCN 1: cpe:/a:nodejs:node.js:14.0:*:*:*:*:*:*:*AND cpe:/a:ibm:spectrum_protect_plus:10.1.0:*:*:*:*:*:*:*OR cpe:/a:ibm:app_connect:11.0.0.0:*:*:*:enterprise:*:*:*OR cpe:/a:ibm:integration_bus:10.0.0.0:*:*:*:*:*:*:*OR cpe:/a:ibm:datapower_gateway:2018.4.1.0:*:*:*:*:*:*:*OR cpe:/a:ibm:cognos_analytics:11.1:*:*:*:*:*:*:*OR cpe:/a:ibm:cloud_transformation_advisor:2.0.1:*:*:*:*:*:*:*OR cpe:/a:ibm:cloud_pak_for_automation:19.0.3:*:*:*:*:*:*:*OR cpe:/a:ibm:cloud_pak_for_automation:20.0.1:*:*:*:*:*:*:*OR cpe:/a:ibm:event_streams:10.0.0:*:*:*:*:*:*:*OR cpe:/a:ibm:cloud_pak_for_automation:20.0.2:*:*:*:*:*:*:*OR cpe:/a:ibm:event_streams:10.1.0:*:*:*:*:*:*:*OR cpe:/a:ibm:datapower_gateway:10.0.1.0:*:*:*:*:*:*:*OR cpe:/a:ibm:cloud_pak_for_automation:20.0.3:*:*:*:*:*:*:*OR cpe:/a:ibm:voice_gateway:1.0.7:*:*:*:*:*:*:*OR cpe:/a:ibm:event_streams:10.2.0:*:*:*:*:*:*:*OR cpe:/a:ibm:cloud_pak_for_automation:21.0.1:*:*:*:*:*:*:*OR cpe:/a:ibm:app_connect_enterprise:12.0.1.0:*:*:*:*:*:*:*OR cpe:/a:ibm:cloud_pak_for_automation:21.0.2:-:*:*:*:*:*:*OR cpe:/a:ibm:event_streams:10.3.0:*:*:*:*:*:*:*OR cpe:/a:ibm:event_streams:10.3.1:*:*:*:*:*:*:*OR cpe:/a:ibm:planning_analytics_workspace:2.0:*:*:*:*:*:*:*OR cpe:/a:ibm:cloud_pak_for_automation:19.0.1:*:*:*:*:*:*:*OR cpe:/a:ibm:business_automation_workflow:20.0.0.1:*:*:*:traditional:*:*:*OR cpe:/a:ibm:business_automation_workflow:20.0.0.2:*:*:*:traditional:*:*:*OR cpe:/a:ibm:business_automation_workflow:21.0.1:*:*:*:traditional:*:*:*OR cpe:/a:ibm:datapower_gateway:10.0.3.0:*:*:*:*:*:*:*OR cpe:/a:ibm:cloud_pak_for_automation:19.0.2:*:*:*:*:*:*:*OR cpe:/a:ibm:datapower_gateway:10.0.4.0:*:*:*:*:*:*:*OR cpe:/a:ibm:app_connect_enterprise_certified_container:4.1:*:*:*:*:*:*:*OR cpe:/a:ibm:app_connect_enterprise_certified_container:4.2:*:*:*:*:*:*:*OR cpe:/a:ibm:datapower_gateway:10.5.0.0:*:*:*:*:*:*:*OR cpe:/a:ibm:app_connect_enterprise:12.0.5.0:*:*:*:*:*:*:*OR cpe:/a:ibm:business_automation_workflow:22.0.1:*:*:*:traditional:*:*:*OR cpe:/a:ibm:datapower_gateway:2018.4.1.22:*:*:*:*:*:*:*OR cpe:/a:ibm:app_connect_enterprise_certified_container:5.0:*:*:*:lts:*:*:*OR cpe:/a:ibm:app_connect_enterprise_certified_container:5.1:*:*:*:*:*:*:*OR cpe:/a:ibm:app_connect_enterprise_certified_container:5.2:*:*:*:*:*:*:*OR cpe:/a:ibm:datapower_gateway:10.0.1.9:*:*:*:*:*:*:*OR cpe:/a:ibm:datapower_gateway:10.5.0.2:*:*:*:*:*:*:* Denotes that component is vulnerable |
Oval Definitions |
|
BACK |
nodejs node.js 14.0
ibm spectrum protect plus 10.1.0
ibm app connect 11.0.0.0
ibm integration bus 10.0.0.0
ibm datapower gateway 2018.4.1.0
ibm cognos analytics 11.1
ibm cloud transformation advisor 2.0.1
ibm cloud pak for automation 19.0.3
ibm cloud pak for automation 20.0.1
ibm event streams 10.0.0
ibm cloud pak for automation 20.0.2
ibm event streams 10.1.0
ibm datapower gateway 10.0.1.0
ibm cloud pak for automation 20.0.3
ibm voice gateway 1.0.7
ibm event streams 10.2.0
ibm cloud pak for automation 21.0.1
ibm app connect enterprise 12.0.1.0
ibm cloud pak for automation 21.0.2 -
ibm event streams 10.3.0
ibm event streams 10.3.1
ibm planning analytics workspace 2.0
ibm cloud pak for automation 19.0.1
ibm business automation workflow 20.0.0.1
ibm business automation workflow 20.0.0.2
ibm business automation workflow 21.0.1
ibm datapower gateway 10.0.3.0
ibm cloud pak for automation 19.0.2
ibm datapower gateway 10.0.4.0
ibm app connect enterprise certified container 4.1
ibm app connect enterprise certified container 4.2
ibm datapower gateway 10.5.0.0
ibm app connect enterprise 12.0.5.0
ibm business automation workflow 22.0.1
ibm datapower gateway 2018.4.1.22
ibm app connect enterprise certified container 5.0
ibm app connect enterprise certified container 5.1
ibm app connect enterprise certified container 5.2
ibm datapower gateway 10.0.1.9
ibm datapower gateway 10.5.0.2