IBM019F88F4FEFA465EB19A652FAD507A1FB8AAD31A77EB2E833E2C045571AE83F8Security Bulletin: Host header injection vulnerability in Business Automation Studio in Cloud Pak for Automation (CVE-2021-29872)
0.001 Low
EPSS
Percentile
29.0%
Summary
Business Automation Studio in IBM Cloud Pak for Automation is vulnerable to a host header injection attack.
Vulnerability Details
CVEID:CVE-2021-29872
**DESCRIPTION:**IBM ICP4A - Business Automation Studio Component is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. By sending a specially crafted HTTP request, a remote attacker could exploit this vulnerability to inject HTTP HOST header, which will allow the attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/206228 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM Cloud Pak for Automation |
21.0.1 before IF007
21.0.2 before IF007
Note that 21.0.3 is not affected.
Remediation/Fixes
The recommended action is to upgrade to the latest cumulative security fix for your release and consider upgrading to the latest release.
Workarounds and Mitigations
None
| CPE | Name | Operator | Version |
|---|---|---|---|
| ibm cloud pak for automation | eq | 21.0.1 | |
| ibm cloud pak for automation | eq | 21.0.2 |
Related
0.001 Low
EPSS
Percentile
29.0%