CVE-2023-37536: 
HCL BigFix Server vulnerability analysis and mitigation

An integer overflow vulnerability (CVE-2023-37536) was discovered in xerces-c++ 3.2.3 within the BigFix Platform. This vulnerability allows remote attackers to cause out-of-bound access through specially crafted HTTP requests. The vulnerability affects BigFix Platform versions from 9.0.0 to 9.5.23 and 10.0.0 to 10.0.10 (NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-190 (Integer Overflow or Wraparound) and CWE-680 (Integer Overflow to Buffer Overflow). The issue specifically involves an integer overflow condition that can lead to out-of-bounds access when processing HTTP requests (NVD, Ubuntu).

The vulnerability can result in high impacts across confidentiality, integrity, and availability. When successfully exploited, it allows attackers to cause out-of-bounds access, potentially leading to information disclosure, system compromise, or service disruption (NVD).

Multiple vendors have released patches to address this vulnerability. Ubuntu has fixed the issue in versions 22.04 LTS (3.2.3+debian-3ubuntu0.1), 20.04 LTS (3.2.2+debian-1ubuntu0.2), and other releases. Fedora has updated to xerces-c version 3.2.5 in their repositories. Debian has also released security updates to address this vulnerability (Ubuntu, Fedora).