CVE-2020-4627 — Improper Neutralization of Formula Elements in a CSV File in IBM Cloud PAK FOR Security

CWE-1236 — Improper Neutralization of Formula Elements in a CSV File CWE-74 — Injection6 documents4 sources

Severity

9.0CRITICALNVD

EPSS

0.9%

top 24.37%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

IBM Cloud PAK FOR Security

Timeline

PublishedNov 30

Latest updateMay 24

Description

IBM Cloud Pak for Security 1.3.0.1(CP4S) potentially vulnerable to CVS Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 185367.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:HExploitability: 2.3 | Impact: 6.0

Affected Packages2 packages

▶CVEListV5ibm/cloud_pak_for_security1.3.0.1

▶NVDibm/cloud_pak1.3.0.1

Patches

Patch: www.ibm.com ↗Patch: www.ibm.com ↗

🔴Vulnerability Details

GHSA

GHSA-h524-q6jx-7vf6: IBM Cloud Pak for Security 1↗2022-05-24

▶

CVEList

CVE-2020-4627: IBM Cloud Pak for Security 1↗2020-11-30

▶

💬Community

Bugzilla

CVE-2019-7638 SDL: heap-based buffer over-read in Map1toN in video/SDL_pixels.c↗2019-02-14

▶

Bugzilla

CVE-2019-7572 SDL: buffer over-read in IMA_ADPCM_nibble in audio/SDL_wave.c↗2019-02-13

▶

Bugzilla

CVE-2019-7577 SDL: buffer over-read in SDL_LoadWAV_RW in audio/SDL_wave.c↗2019-02-12

▶