IBM1CF861266C1147AA5CFF1D3A424578DD3689025A0A2C6C7F3BC77B265B676F6BSecurity Bulletin: IBM MQ Appliance is vulnerable to open redirect due to follow-redirects (CVE-2023-26159)
7.3 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P
7 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
20.0%
Summary
Follow-redirects is used by IBM MQ Appliance as part of the MQ Console. CVE-2023-26159.
Vulnerability Details
CVEID:CVE-2023-26159
**DESCRIPTION:**follow-redirects could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability. An attacker could exploit this vulnerability using a specially crafted URL to redirect a victim to arbitrary Web sites.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/278622 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM MQ Appliance | 9.3 LTS |
| IBM MQ Appliance | 9.3 CD |
Remediation/Fixes
This vulnerability is addressed under APAR IT45253
IBM strongly recommends addressing the vulnerability now.
IBM MQ Appliance version 9.3 LTS
Apply IBM MQ Appliance 9.3.0.17 cumulative security update, or later firmware.
IBM MQ Appliance version 9.3 CD
Apply IBM MQ Appliance 9.3.5 Continuous Delivery release, or later firmware.
Workarounds and Mitigations
None
Affected configurations
Related
7.3 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P
7 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
20.0%