Vulnerability Name:

CVE-2022-3517 (CCN-238615)

Assigned:2022-02-06
Published:2022-02-06
Updated:2023-07-21
Summary:
CVSS v3 Severity:7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
7.5 High (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
CVSS v2 Severity:7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Complete
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2022-3517

Source: XF
Type: UNKNOWN
minimatch-cve20223517-dos(238615)

Source: secalert@redhat.com
Type: Issue Tracking, Patch, Third Party Advisory
secalert@redhat.com

Source: CCN
Type: minimatch GIT Repository
Improve redos protection, add many tests

Source: secalert@redhat.com
Type: Patch, Third Party Advisory
secalert@redhat.com

Source: secalert@redhat.com
Type: Mailing List, Third Party Advisory
secalert@redhat.com

Source: secalert@redhat.com
Type: Mailing List, Third Party Advisory
secalert@redhat.com

Source: secalert@redhat.com
Type: Mailing List, Third Party Advisory
secalert@redhat.com

Source: CCN
Type: IBM Security Bulletin 6845964 (Watson Assistant for Cloud Pak for Data)
IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to minimatch denial of service (CVE-2022-3517)

Source: CCN
Type: IBM Security Bulletin 6856471 (Process Mining)
Vulnerability in minimatch affects IBM Process Mining . CVE-2022-3517

Source: CCN
Type: IBM Security Bulletin 6857699 (Robotic Process Automation for Cloud Pak)
A vulnerability in minimatch may affect IBM Robotic Process Automation and result in a denial of service (CVE-2022-3517)

Source: CCN
Type: IBM Security Bulletin 6890653 (Cloud Integration Platform)
Automation Assets in IBM Cloud Pak for Integration is vulnerable to denial of service due to minimatch CVE-2022-3517

Source: CCN
Type: IBM Security Bulletin 6955067 (Spectrum Protect Plus)
Security Vulnerabilities in moment, ansi-regex, Node.js, and minimatch may affect IBM Spectrum Protect Plus Microsoft File Systems Backup and Restore (CVE-2022-31129, CVE-2022-24785, CVE-2021-3807, CVE-2022-29244, CVE-2022-3517)

Source: CCN
Type: IBM Security Bulletin 6956237 (Spectrum Protect)
Security Vulnerabilities in moment, ansi-regex, Node.js, and minimatch may affect IBM Spectrum Protect Client and IBM Spectrum Protect for Space Management (CVE-2022-31129, CVE-2022-24785, CVE-2021-3807, CVE-2022-29244, CVE-2022-3517)

Source: CCN
Type: IBM Security Bulletin 6956539 (MobileFirst Platform Foundation)
Multiple vulnerabilities found with third-party libraries used by IBM MobileFirst Platform

Source: CCN
Type: IBM Security Bulletin 6959917 (App Connect Enterprise Certified Container)
IBM App Connect Enterprise Certified Container operands may be vulnerable to regular expression denial of service due to [CVE-2022-3517]

Source: CCN
Type: IBM Security Bulletin 6991625 (Edge Application Manager)
Open Source Dependency Vulnerability

Vulnerable Configuration:Configuration RedHat 1:
  • cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*
    • Configuration RedHat 2:
  • cpe:/a:redhat:enterprise_linux:8::appstream:*:*:*:*:*
    • Configuration RedHat 3:
  • cpe:/a:redhat:enterprise_linux:9:*:*:*:*:*:*:*
    • Configuration RedHat 4:
  • cpe:/a:redhat:enterprise_linux:9::appstream:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:minimatch_project:minimatch:3.0.4:*:*:*:*:node.js:*:*
  • AND
  • cpe:/a:ibm:mobilefirst_platform_foundation:8.0.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_protect_plus:10.1.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_protect_plus:10.1.7:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_protect:8.1.7.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_protect_plus:10.1.8:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:4.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:4.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:5.0:*:*:*:lts:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:5.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:5.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:6.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:6.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:robotic_process_automation_for_cloud_pak:21.0.7:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:robotic_process_automation:21.0.7:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:6.2:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:com.redhat.rhsa:def:20230321
    P
    		RHSA-2023:0321: nodejs and nodejs-nodemon security, bug fix, and enhancement update (Moderate)
    2023-01-23
    oval:com.redhat.rhsa:def:20230050
    P
    		RHSA-2023:0050: nodejs:14 security, bug fix, and enhancement update (Moderate)
    2023-01-09
    oval:com.redhat.rhsa:def:20229073
    P
    		RHSA-2022:9073: nodejs:16 security, bug fix, and enhancement update (Moderate)
    2022-12-15
    oval:com.redhat.rhsa:def:20228832
    P
    		RHSA-2022:8832: nodejs:18 security, bug fix, and enhancement update (Moderate)
    2022-12-06
    oval:com.redhat.rhsa:def:20228833
    P
    		RHSA-2022:8833: nodejs:18 security, bug fix, and enhancement update (Moderate)
    2022-12-06
    BACK
    minimatch_project minimatch 3.0.4
    ibm mobilefirst platform foundation 8.0.0.0
    ibm spectrum protect plus 10.1.6
    ibm spectrum protect plus 10.1.7
    ibm spectrum protect 8.1.7.0
    ibm spectrum protect plus 10.1.8
    ibm app connect enterprise certified container 4.1
    ibm app connect enterprise certified container 4.2
    ibm app connect enterprise certified container 5.0
    ibm app connect enterprise certified container 5.1
    ibm app connect enterprise certified container 5.2
    ibm app connect enterprise certified container 6.0
    ibm app connect enterprise certified container 6.1
    ibm robotic process automation for cloud pak 21.0.7
    ibm robotic process automation 21.0.7
    ibm app connect enterprise certified container 6.2