CVE-2023-35899Improper Neutralization of Formula Elements in a CSV File in IBM Cloud PAK FOR Automation

CWE-1236Improper Neutralization of Formula Elements in a CSV File3 documents3 sources
Severity
9.8CRITICALNVD
CNA7.0
EPSS
0.1%
top 74.73%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
IBM Cloud PAK FOR AutomationIBM Cloud PAK FOR Business Automation
Timeline
PublishedMar 21

Description

IBM Cloud Pak for Automation 18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, 22.0.1, and 22.0.2 is potentially vulnerable to CSV Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 259354.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

CVEListV5ibm/cloud_pak_for_automation18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, 22.0.1, 22.0.2
NVDibm/cloud_pak15 versions+14

🔴Vulnerability Details

2
GHSA
GHSA-w8ph-83jm-g88m: IBM Cloud Pak for Automation 182024-03-21
CVEList
IBM Cloud Pak for Automation CSV injection2024-03-05
CVE-2023-35899 — IBM vulnerability | cvebase