CVE-2024-39008

Name of the Vulnerable Software and Affected Versions robinweser fast-loops version 1.1.3 IBM QRadar Suite (affected versions not specified) IBM Cloud Pak for Security (affected versions not specified)

Description The issue is related to an uncontrolled modification of object prototype attributes in the robinweser fast-loops utility, which is used in IBM QRadar Suite and IBM Cloud Pak for Security. This allows a remote attacker to execute arbitrary code by sending a specially crafted network message that calls the vulnerable function. The vulnerability is due to a prototype pollution via the objectMergeDeep function, which enables attackers to inject arbitrary properties, potentially leading to code execution or a Denial of Service (DoS).

Recommendations For robinweser fast-loops version 1.1.3, consider disabling the objectMergeDeep function until a patch is available. For IBM QRadar Suite, restrict access to the vulnerable module to minimize the risk of exploitation. For IBM Cloud Pak for Security, avoid using the vulnerable function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.