IBM1D9D1AD0ACE91D239538DC610B585D70BC08A0714F0F37D5A811234FA1BAFEF7Security Bulletin: Multiple vulnerabilities in nodejs packages affect IBM Business Automation Workflow - CVE-2023-26159, CVE-2023-45857
7.3 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P
6.8 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
23.1%
Summary
IBM Business Automation Workflow Workflow Center user interfaces package vulnerable versions of open source dependencies.
Vulnerability Details
CVEID:CVE-2023-26159
**DESCRIPTION:**follow-redirects could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability. An attacker could exploit this vulnerability using a specially crafted URL to redirect a victim to arbitrary Web sites.
CVSS Base score: 7.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/278622 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L)
CVEID:CVE-2023-45857
**DESCRIPTION:**Axios is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By inserting the X-XSRF-TOKEN header using the secret XSRF-TOKEN cookie value in all requests to any server when the XSRF-TOKEN0 cookie is available, and the withCredentials setting is turned on, an attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.
CVSS Base score: 7.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/270574 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N)
Affected Products and Versions
| Affected Product(s) | Version(s) | Status |
|---|---|---|
| IBM Business Automation Workflow containers |
V23.0.2
V23.0.1 all fixes
V22.0.2 all fixes
V22.0.1 all fixes
V21.0.3 - V21.0.3-IF028
| affected
IBM Business Automation Workflow traditional| V23.0.1 - V23.0.2
V22.0.1 - V22.0.2
V21.0.1 - V21.0.3.1| affected
IBM Business Automation Workflow Enterprise Service Bus| V23.0.1 - V23.0.2
V22.0.2| Not affected
For earlier and unsupported versions of the products, IBM recommends upgrading to a fixed, supported version of the product.
Remediation/Fixes
The recommended solution is to apply the Interim Fix (iFix) or Cumulative Fix (CF) containing Known Issue DT257576 as soon as practical.
Note that DT257576 supersedes DT258079.
| Affected Product(s) | Version(s) | Remediation / Fix |
|---|---|---|
| IBM Business Automation Workflow containers | V23.0.2 | Apply 23.0.2-IF001 |
| IBM Business Automation Workflow containers | V21.0.3 | Apply 21.0.3-IF029 |
| or upgrade to 23.0.2-IF001 or later | ||
| IBM Business Automation Workflow containers | V23.0.1 | |
| V22.0.1 - V22.0.2 | ||
| V21.0.1 - V21.0.2 | ||
| V20.0.0.1 - V20.0.0.2 | Upgrade to 21.0.3-IF029 | |
| or upgrade to 23.0.2-IF001 or later | ||
| IBM Business Automation Workflow traditional and IBM Business Automation Workflow Enterprise Service Bus | V23.0.2 | Apply DT257576 |
| Note that DT257576 supersedes DT258079. | ||
| IBM Business Automation Workflow traditional | V21.0.3.1 | Apply DT257576 |
| Note that DT257576 supersedes DT258079. | ||
| IBM Business Automation Workflow traditional |
V23.0.1
V22.0.1 - V22.0.2
V21.0.1 - V21.0.3.0
V20.0.0.1 - V20.0.0.2
V19.0.0.1 - V19.0.0.3
V18.0.0.1 - V18.0.0.3
| Upgrade to a long term support release or the latest SSCD version. See IBM Business Automation Workflow and IBM Integration Designer Software Support Lifecycle Addendum
Workarounds and Mitigations
None
Affected configurations
Related
7.3 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P
6.8 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
23.1%