Security Bulletin: IBM Cloud Pak for Data is vulnerable to obtain sensitive information due to Node.js undici ( CVE-2023-45143 )

Summary

Node.js undici is used by IBM Cloud Pak for Data as part of the <product functionality using the 3rd party software>. CVE-2023-45143.

Vulnerability Details

CVEID:CVE-2023-45143
**DESCRIPTION:**Node.js undici module could allow a remote authenticated attacker to obtain sensitive information, caused by the failure to clear cookie header on cross-origin redirect in fetch. By persuading a victim to visit a specially crafted Web site, an attacker could exploit this vulnerability to obtain cookie header information, and use this information to launch further attacks against the affected system.
CVSS Base score: 3.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/268649 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L)

Affected Products and Versions

Affected Product(s)|**Version(s)
**
—|—
IBM Cloud Pak for Data| 4.0.0-4.8.4

Remediation/Fixes

IBM****strongly recommends addressing the vulnerability now.

Product(s)

|

Version(s) number and/or range

|

Remediation/Fix/Instructions

—|—|—

IBM Cloud Pak for Data

|

4.0.0-4.8.4

|

Download 4.8.5 and follow instructions

Workarounds and Mitigations

None