QID 375337

IBM Spectrum Protect provides automated, centrally scheduled, policy-managed backup, archive, and space-management capabilities for file servers. CVE-2020-26258: XStream is vulnerable to server-side request forgery, caused by a flaw when unmarshalling. By manipulating the processed input stream, a remote attacker could exploit this vulnerability to obtain sensitive data.
CVE-2020-26259: XStream could allow a remote attacker to delete arbitrary files from the system, caused by improper input sanitization. By manipulating the processed input, an attacker could exploit this vulnerability to delete arbitrary files from the system.
CVE-2020-26217: XStream could allow a remote attacker to execute arbitrary code on the system, caused by flaws in the XStream.java and SecurityVulnerabilityTest.java scripts.
CVE-2020-13956: Apache HttpClient could allow a remote attacker to bypass security restrictions, caused by the improper handling of malformed authority component in request URIs
CVE-2020-25649: FasterXML Jackson Databind could provide weaker than expected security, caused by not having entity expansion secured properly.
CVE-2020-1971: OpenSSL is vulnerable to a denial of service, caused by a NULL pointer dereference.
CVE-2020-8265: Node.js is vulnerable to a denial of service, caused by a use-after-free in TLSWrap within the TLS implementation. By writing to a TLS enabled socket
CVE-2020-8287: Node.js is vulnerable to HTTP request smuggling. By sending specially crafted HTTP request headers

Affected Versions:
IBM Spectrum Protect 5.3.0.1 through 5.4.1

QID Detection Logic(Authenticated):
It checks for vulnerable version of IBM Spectrum Protect.

An attacker could exploit this vulnerability to corrupt memory and cause a denial of service ,conduct XSS attacks and execute arbitrary code on the system.