CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P
AI Score
Confidence
High
EPSS
Percentile
28.4%
IBM Business Automation Workflow Workflow Center user interfaces package vulnerable versions of open source dependencies.
**CVEID:**CVE-2023-26159 DESCRIPTION: follow-redirects could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability. An attacker could exploit this vulnerability using a specially crafted URL to redirect a victim to arbitrary Web sites.
CVSS Base score: 7.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/278622 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L)
**CVEID:**CVE-2023-45857 DESCRIPTION: Axios is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By inserting the X-XSRF-TOKEN header using the secret XSRF-TOKEN cookie value in all requests to any server when the XSRF-TOKEN0 cookie is available, and the withCredentials setting is turned on, an attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.
CVSS Base score: 7.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/270574 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N)
Affected Product(s) | Version(s) | Status |
---|---|---|
IBM Business Automation Workflow containers | V23.0.2 | |
V23.0.1 all fixes | ||
V22.0.2 all fixes | ||
V22.0.1 all fixes | ||
V21.0.3 - V21.0.3-IF028 | affected | |
IBM Business Automation Workflow traditional | V23.0.1 - V23.0.2 | |
V22.0.1 - V22.0.2 | ||
V21.0.1 - V21.0.3.1 | affected | |
IBM Business Automation Workflow Enterprise Service Bus | V23.0.1 - V23.0.2 | |
V22.0.2 | Not affected |
For earlier and unsupported versions of the products, IBM recommends upgrading to a fixed, supported version of the product.
The recommended solution is to apply the Interim Fix (iFix) or Cumulative Fix (CF) containing Known Issue DT257576 as soon as practical.
Note that DT257576 supersedes DT258079.
Affected Product(s) | Version(s) | Remediation / Fix |
---|---|---|
IBM Business Automation Workflow containers | V23.0.2 | Apply 23.0.2-IF001 |
IBM Business Automation Workflow containers | V21.0.3 | Apply 21.0.3-IF029 |
or upgrade to 23.0.2-IF001 or later | ||
IBM Business Automation Workflow containers | V23.0.1 | |
V22.0.1 - V22.0.2 | ||
V21.0.1 - V21.0.2 | ||
V20.0.0.1 - V20.0.0.2 | Upgrade to 21.0.3-IF029 | |
or upgrade to 23.0.2-IF001 or later | ||
IBM Business Automation Workflow traditional and IBM Business Automation Workflow Enterprise Service Bus | V23.0.2 | Apply DT257576 |
Note that DT257576 supersedes DT258079. | ||
IBM Business Automation Workflow traditional | V21.0.3.1 | Apply DT257576 |
Note that DT257576 supersedes DT258079. | ||
IBM Business Automation Workflow traditional | V23.0.1 | |
V22.0.1 - V22.0.2 | ||
V21.0.1 - V21.0.3.0 | ||
V20.0.0.1 - V20.0.0.2 | ||
V19.0.0.1 - V19.0.0.3 | ||
V18.0.0.1 - V18.0.0.3 | Upgrade to a long term support release or the latest SSCD version. See IBM Business Automation Workflow and IBM Integration Designer Software Support Lifecycle Addendum |
None
Vendor | Product | Version | CPE |
---|---|---|---|
ibm | business_automation_workflow | 22.0.2 | cpe:2.3:a:ibm:business_automation_workflow:22.0.2:*:*:*:enterprise_service_bus:*:*:* |
ibm | business_automation_workflow | 23.0.1 | cpe:2.3:a:ibm:business_automation_workflow:23.0.1:*:*:*:enterprise_service_bus:*:*:* |
ibm | business_automation_workflow | 23.0.2 | cpe:2.3:a:ibm:business_automation_workflow:23.0.2:*:*:*:enterprise_service_bus:*:*:* |
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P
AI Score
Confidence
High
EPSS
Percentile
28.4%